Firefox extensions
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
+--------+
|Solution|
+--------+
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
+--------+
|Solution|
+--------+
Firefox are extensions. You can use them to create things inside your browser
which are beyond your imagination.
Overview
--------
Every Firefox extensions developer knows the 'hidden' property of 'install
manifest'. This property can be used to hide _globally_ installed extensions and
it can't hide only local extension (this is a design feature so the extensions
installed by users can't be hidden). But there is another way to make extension
hidden..
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
+--------+
|Solution|
+--------+
2. DETAILS
2.1. Behavior
The ability to install or preview Personas is controlled by the same Allowed
Sites whitelist as for installing Firefox extensions. However, contrary to the
extensions installation process, setting Personas does *not* require the user's
explicit agreement (for example the post-upgrade "firstrun" page previews
featured Personas on hover). To give users control of the currently set
Persona, Firefox displays an information bar with "Undo" and "Manage Themes"
buttons upon any Persona-related action (preview or installation).
presents..
Hi there,
For the last year, we have been focusing on
Firefox Extension security and we have now
released a research paper and an addendum
on the topic of Cross Context Scripting (XCS).
The research paper "Cross Context Scripting
with Firefox" demonstrates different ways of
- Tim Burrell & Peter Beck, Microsoft
Malware Case Study: the ZeuS evolution
- Vicente Diaz, S21Sec
Writing better XSS payloads
- Alex Kouzemtchenko, SIFT
Exploiting Firefox Extensions
-Roberto Suggi Liverani & Nick Freeman, Security-Assessment.com
Stored Value Gift Cards, Magstripes Revisited
- Adrian Pastor, Gnucitizen, Corsaire
Advanced SQL Injection to operating system control
- Bernardo Damele Assumpcao Guimaraes, Portcullis
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
+--------+
|Solution|
+--------+
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
+--------+
|Solution|
+--------+
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
+--------+
|Solution|
+--------+
|
