You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Vulnerability] DOM intrusion by Browser Extensions
Root Cause
DOM documents are exposed to browser extensions
Notes
Intrusive browser extensions must be disabled
Browser Extensions can still "READ" DOM including USER PASSWORDS
Fix
Mark nodes as parsed or mutated on API calls
Node.appendChild(newNode)
Node.replaceChild(newNode, oldNode)
Node.insertBefore(newNode, referenceNode)
Element.innerHTML
Check mutations and detect DOM intrusion outside of the application
Hang up on DOM intrusion detection as the instrusion has become effective and there is no way of cancelling it
Show an alert message before hanging up
README
diff --git a/README.md b/README.md
index bdea2701..c6dfed30 100644
--- a/README.md+++ b/README.md@@ -1087,6 +1087,9 @@ To achieve this, the static entry HTML has to be __Encoded__ at build time by `h
- `hook.parameters.mutationObserver = new MutationObserver(observerCallback);` - `MutationObserver` object set in `demo/hook-callback.js`
- `hook.parameters.mutationObserverConfig = { childList: true, subtree: true, attributes: true, attributeOldValue: true, characterData: true, characterDataOldValue: true, };` - Configuration options for `hook.parameters.mutationObserver.observe(options)` set in `demo/hook-callback.js`
- Note: They are used in the wrapped `Node.attachShadow()` to track mutations in every shadow DOM as well as for all document objects of windows and frames
+ - Tracker Callback+ - `hook.parameters.innerHTMLTracker = function (node, value, processed) {}`: Set in `demo/hook-callback.js` for mutation detection+ - Track each `Element.innerHTML` operation before performing it
- register as Service Worker
- `Service-Worker-Allowed` HTTP response header must have an appropriate scope for the target application
- `cors=true` parameter: CORS script, e.g., `<script src="https://cross.origin.host/path/script.js?cors=true"></script>`
@@ -1237,8 +1240,10 @@ To achieve this, the static entry HTML has to be __Encoded__ at build time by `h
- `Stack` class object is a brancheable linked list with `push/pop` operations
- The branching feature of `Stack` is not utilized for now
- Call `hook.hookCallbackCompatibilityTest()`
- - Attach MutationObserver to audit URLs in DOM mutations+ - Attach MutationObserver to audit URLs and elements in DOM mutations
- Block `blob:` URLs except for downloading to local files
+ - Block unauthorized DOM mutations suspectedly from browser extensions+ - On detection, an alert message **Blocked on Browser Extensions** is shown and the application hangs up
- Hook global objects
- Via
- `hooked = hook[name](Symbol.for('__hook__'), [[name, { random: name === 'Node' }]], 'method')`
@@ -1271,6 +1276,9 @@ To achieve this, the static entry HTML has to be __Encoded__ at build time by `h
- For MutationObserver
- `hook.parameters.mutationObserver = new MutationObserver(observerCallback);` - `MutationObserver` object set in `demo/hook-callback.js`
- `hook.parameters.mutationObserverConfig = { childList: true, subtree: true, attributes: true, attributeOldValue: true, characterData: true, characterDataOldValue: true, };` - Configuration options for `hook.parameters.mutationObserver.observe(options)` set in `demo/hook-callback.js`
+ - `hook.parameters.innerHTMLTracker = function (node, value, processed) {}` - Tracker callback to detect coming DOM mutations from setting `Element.innerHTML`+ - `const detectDOMIntrusion = true;` - Use `true` to detect DOM intrusion+ - `const messagesOnUnauthorizedMutation = { en: 'Blocked on Browser Extensions' };` - Alert messages on DOM intrusion detection, indexed for `navigator.language`
- For global object access
- `const enableDebugging = false`: Use `true` to enable debugging by disabling forced redirection to `about:blank` on prohibited global object access
- `const wildcardWhitelist`: `Array` of `RegExp` for Chrome browser's `new Error().stack` format
@@ -1336,6 +1344,13 @@ To achieve this, the static entry HTML has to be __Encoded__ at build time by `h
- `contextStack` operations are relatively lightweight without performance degradation on deep call stack
- If local alias objects are defined, the corresponding global object access is performed only once per object, whose overheads are insignificant
+### `<script src="mark-parsed.js?no-hook=true"></script>`++- Features+ - Mark the parsed elements in DOM with `node[Symbol.for('parsed')] = true` at the end of HTML body to filter out valid DOM mutations from from invalid ones+- Configurations+ - Insert the script at the end of the entry page HTML body+
## Server-side Components
Server-side scripts and components configured for the demo but fully customizable for the target application
ToDos
Detect element removals via DOM intrusion
Detect non-URL attribute mutations via DOM intrusion
The text was updated successfully, but these errors were encountered:
[Vulnerability] DOM intrusion by Browser Extensions
Root Cause
DOM documents are exposed to browser extensions
Notes
Intrusive browser extensions must be disabled
Browser Extensions can still "READ" DOM including USER PASSWORDS
Fix
Node.appendChild(newNode)
Node.replaceChild(newNode, oldNode)
Node.insertBefore(newNode, referenceNode)
Element.innerHTML
ToDos
The text was updated successfully, but these errors were encountered: