Security: Smuggle arbitrary CSS inside cosmetic uBlock filters #1806
Description
Prerequisites
- I verified that this is not a filter issue (MUST be reported at filter issue tracker)
- This is not a support issue or a question
- I performed a cursory search of the issue tracker to avoid opening a duplicate issue
- The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser
- I checked the documentation to understand that the issue I report is not a normal behavior
I tried to reproduce the issue when...
- uBO is the only extension
- uBO with default lists/settings
- using a new, unmodified browser profile
Description
uBlock origin allows you to use cosmetic filters to change content on the page. It allows some CSS but disallows making requests such as using background:url(). I've found a way to bypass these restrictions and execute arbitrary CSS:
*#$#* /* { font-family: ' background-color:red;'; }
*#$#* /*/ {background:url(https://hackvertor.co.uk/images/logo.gif)} */ { font-family: ' background-color:red;'; }
A specific URL where the issue occurs
Steps to Reproduce
- Go to my filters and add the following rule:
*#$#* /* { font-family: ' background-color:red;'; }
*#$#* /*/ {background:url(https://hackvertor.co.uk/images/logo.gif)} */ { font-family: ' background-color:red;'; }
- Visit https://portswigger-labs.net or any website and you should see that the background image has changed for every element.
Expected behavior
You should not be allowed to make background requests inside cosmetic filters
Actual behavior
The background url request is made.
uBlock Origin version
1.38.7b15
Browser name and version
Chrome 95.0.4638.69
Operating System and version
MacOS 10.15.7