[Greasemonkey] Alternative script injection technique proof of concept

Aaron Boodman zboogs at gmail.com
Thu Jul 21 01:51:32 EDT 2005


> Let me know what you think ... does this resolve the "major" security
> issue? Or is there some other way the GM_ functions can be retreived by
> a malicious script?

It's really hard because it's possible for JavaScript to change
basically anything about itself. So you have two systems talking to
each other that are using words that they aren't even sure haven't
been redefined since they learned them.

Let us say that a user script uses document.getElementById.

Content could do something like this to retrieve a ref to it in 0.3.3:

document.getElementById = function() {
  var GM_xmlhttpRequest;
  var scope = arguments.callee.caller;

  while (scope) {
    for (var i = 0; i < scope.arguments.length; i++) {
      if (scope.arguments[i].toString().indexOf("GM_xmlhttpRequest") == 0) {
        return scope.arguments[i];
      }
    }
    scope = scope.caller;
  }
}

Oh, and wrt to your idea about unwatch. Content can just do:

window.unwatch = function(){}

So yeah. Hard :-).

-- 
Aaron


More information about the Greasemonkey mailing list