Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

With the rise of online schooling, teachers need to ensure students could not cheat during tests. A way to prevent cheating on tests is the Proctorio Chrome extension, which can view internet traffic, alter the page and many other things.

The extension inspects web traffic of the browser. Depending on the paths that are configured via the administrator, it will inject content into the scripts of the page. Once a test has started, a toolbar is added with a number of buttons, such as a calculator.

When the = button is ran, a computation via the JavaScript eval() function is called. Since the input is never checked for mathematical expressions, we have XSS within the context of the Chrome Extension.

XSS is a bad vulnerability to find. In the context of a browser extension that can always be triggered, this turns into universal cross-site scripting. By sending a URL that matches the demo mode for the chrome extension, the calculator can be called in order to control to get XSS in the extension.

The extension content script does not have the full permissions of the extension. But, major damage can still be done. Using XSS, a request can be made that bypasses the same origin policy to return arbitrary data. For instance, an attacker could steal emails from an inbox or anything else on any website that is visited. Damn, that is a real bad bug!