[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security-Assessment.com WhitePaper/Addendum: Cross Context Scripting with Firefox & Exploiting Cross Context Scripting vulnerabilities in Firefox

   (    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____  
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \ 
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq 


Hi there,

For the last year, we have been focusing on 
Firefox Extension security and we have now
released a research paper and an addendum
on the topic of Cross Context Scripting (XCS).

The research paper "Cross Context Scripting 
with Firefox" demonstrates different ways of 
attacking Firefox extensions via Cross 
Context Scripting (XCS) vulnerabilities. 
Several XCS cases are detailed, including 
vulnerable extension code and exploit.

Cross Context Scripting with Firefox - Roberto Suggi Liverani
Link: http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf

The addendum "Exploiting Cross Context 
Scripting vulnerabilities in Firefox" 
includes a number of exploits tailored 
for Cross Context Scripting vulnerabilities.

Exploiting Cross Context Scripting vulnerabilities in Firefox - Nick Freeman, Roberto Suggi Liverani
Link: http://www.security-assessment.com/files/whitepapers/Exploiting_Cross_Context_Scripting_vulnerabilities_in_Firefox.pdf


Cross Context Scripting (XCS) is a term coined 
for a browser based content injection in the 
Firefox chrome zone. This term was originally 
used by researcher Petro D. Petkov (pdp), when 
David Kierznowski found a vulnerability in the 
Sage RSS Reader Firefox extension .
XCS injection occurs between different 
security zones, an untrusted and a trusted 

This paper details several XCS cases. XCS 
attacks may be possible due to a lack of 
input filtering controls for example. 
However, other components may be vulnerable as 
well, including wrappers, XPCOM components, XUL 
overlays, the browser sandbox and DOM events.

This paper can be seen as complimentary to the 
presentations given at EUSecWest 2009 , DEFCON 17
and SecurityByte & OWASP AppSec Asia 2009  
security conferences.


Special thanks go to Paul Craig, kuza55 and
Stefano Di Paola for their invaluable feedback.

|About Security-Assessment.com|

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United

Roberto Suggi Liverani
Senior Security Consultant
Mob. +64 21 928 780