←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 3 comments | 28 May 19 07:57 UTC | HN request time: 0.523s | source
Show context
megous ◴[28 May 19 09:43 UTC] No.20028564[source]
Other approach is to create a useful extension like:

  https://addons.mozilla.org/en-US/firefox/addon/yt-adblock/reviews/
disguise that you're inserting an iframe linking to your web server into every single page user opens, by naming variables and your tracking domain incorrectly and by waiting for an hour after installation (this may also help avoid automatic tests mozilla is doing) and then just sit back and wait and log all the referers and ip addresses. It's a bit stealthier too, but needs users to visit their local web servers. But you'll also get the full URL.

Nobody will report you or care about the report and users are banned from fixing the extension code locally even if they're able to review it themselves. Bad reviews with some actual text fade away quickly, so if someone warns your other users, it will be pushed out to page 2 after a while by other useful one word or just empty reviews and it will work out.

replies(6): >>20029474 #>>20029949 #>>20029998 #>>20030028 #>>20032054 #>>20034125 #
1. kapep ◴[28 May 19 13:50 UTC] No.20029949[source]
Is there any way to get the source code of extensions from the Mozilla web site? I think some years ago you could look at the code in your browser from a link in the version history but I don't see any links at all now.
replies(2): >>20030055 #>>20031791 #
2. farukuzun ◴[28 May 19 14:00 UTC] No.20030055[source]
I'm using this extension for it: https://addons.mozilla.org/en-US/firefox/addon/crxviewer/
3. megous ◴[28 May 19 16:39 UTC] No.20031791[source]
Right click "Add to Firefox" button and use "save as..". This will get you an xpi file which you can unzip and inspect.

Many addons will use some packing method, bundle all kinds of stuff into their content scripts (jQuery, etc.). It can be hard to review.

Some addons are quite horryfying (you see stuff like `<span ...>${someText}</span>`) (missing escaping, etc.). I'm quite sure there are some content scripts out there, that have XSS issues, that can be triggered from the page itself. This is great on pages like github, where there's quanta of user controlled content.

So if you want a suggestion for a clever attack:

1] make an extension for facebook or twitter or github that reorganizes the wall somewhat and make a `mistake` like assigning some user controlled content via innerHTML. This will probably pass review.

2] Suggest your addon to your target.

3] Post your payload as a message/tweet/whatever to your target. Now you have extension assisted XSS.

Pretty easy to add XSS to any page, with plausible deinability.