-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathbackground.js
141 lines (121 loc) · 4.59 KB
/
background.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
//
// This is the persistent background script, it keeps global state for the extension
//
// make sure this is the same as in the content script
const taintString = "t4inT3d";
//
// handler for the browser action button
//
chrome.browserAction.onClicked.addListener(function (tab) {
chrome.tabs.sendMessage(tab.id, {op: "scanPage"});
//chrome.runtime.openOptionsPage();
});
//
// handle warning notifications for the content scripts
//
var warningCounter = 0;
var warningsAtLAstNotification = 0;
var muteNotifications = false;
// Fetch our options and make sure to notice when they are changed
chrome.storage.local.get(['muteNotifications'], function(result) {
muteNotifications = result['muteNotifications'];
});
chrome.storage.onChanged.addListener(function(changes, namespace) {
var change = changes['muteNotifications'];
if (change) {
muteNotifications = change['newValue'];
}
});
// listen to requests from content script
chrome.runtime.onMessage.addListener( function(req, sender, sendResponse) {
if (req.op == "addWarning") {
console.log(req.message);
warningCounter++;
chrome.browserAction.setBadgeText({text: warningCounter.toString()});
}
return true;
});
// reset warnings on page navigation
chrome.webNavigation.onBeforeNavigate.addListener( function (details) {
if (details.frameId == 0) {
warningCounter = 0;
warningsAtLAstNotification = 0;
chrome.browserAction.setBadgeText({text: ""});
}
});
// show notifications if page has triggered warnings
function showNotifications() {
if (!muteNotifications && warningsAtLAstNotification < warningCounter) {
chrome.notifications.create("", { type: "basic",
title: "Taint Testing Tool",
message: "Page has triggered " + warningCounter + " warning" + (warningCounter > 1 ? "s" : "") + "!" +
"\nSee the JavaScript console for more info.",
iconUrl:"images/injection128.png"
});
warningsAtLAstNotification = warningCounter;
}
}
// notify on page load
chrome.webNavigation.onCompleted.addListener( showNotifications );
// and also at regular intervals
window.setInterval( showNotifications, 1000 );
//
// intercept network requests to clean any tainted data
//
chrome.webRequest.onBeforeSendHeaders.addListener( function(details) {
// clean request headers
for (var i = 0; i < details.requestHeaders.length; ++i) {
var pos = details.requestHeaders[i].value.indexOf(taintString);
if (pos != -1) {
details.requestHeaders[i].value = details.requestHeaders[i].value.substring(0, pos);
//console.log("Cleaned " + details.requestHeaders[i].name + ": " + details.requestHeaders[i].value);
}
}
return { requestHeaders: details.requestHeaders };
},
{urls: ["http://*/*", "https://*/*"]},
["blocking", "requestHeaders"]);
chrome.webRequest.onBeforeRequest.addListener( function(details) {
var url = new URL(details.url);
// intercept tainted origins
var caseInsensitive = new RegExp(taintString, "i");
if (url.hostname.match(caseInsensitive)) {
console.log("Redirecting " + url + " => " + chrome.runtime.getURL("/oops.js"));
return {redirectUrl: chrome.runtime.getURL("/oops.js")};
}
// attempt to clean tainted paths
var pathIndex = url.pathname.indexOf(taintString+".path");
if (pathIndex < 3 && pathIndex > -1) {
// clean the tainted path
url.pathname = url.pathname.substring(pathIndex+taintString.length+5);
}
if (pathIndex > 2) {
// can't clean, cancel navigation
console.log("Cancelled navigation to " + details.url);
return { cancel: true };
}
// clean URL parameters
var search ="";
for (var p of url.searchParams) {
// remove tainted keys
if (p[0].indexOf(taintString) == -1) {
// remove tainted values
var pos = p[1].indexOf(taintString);
if (pos != -1) {
p[1] = p[1].substring(0,pos);
}
if (p[1].length > 0) {
if (search.length) { search += '&'; };
search += p[0] + (p[1] ? "=" + p[1] : '');
}
}
}
url.search = search;
// don't redirect to same url
if (details.url == url)
return {};
//console.log("Redirect " + details.url + " => " + url);
return {redirectUrl: url.toString()};
},
{urls: ["http://*/*", "https://*/*"]},
["blocking"]);