Neurohazard
Our democracy have been h4ck3d.

Chrome 插件编写 101 – 检测页面是否使用了 localStorage

wpadmin~April 6, 2019 /InfoSec

Chrome 插件编写 101

需求说明

判断当前访问的页面是否存在 localStorage, 如果存在则使用 alert 告警。

目的: 某些 localStorage 的数据会被引入到 DOM, 引起 DOM 型 XSS。 另一方面,少数研发可能会将身份校验等敏感信息存储在 localStorage 中。

参考资料
https://www.cnblogs.com/liuxianan/p/chrome-plugin-develop.html

https://github.com/sxei/chrome-plugin-demo

后续工作

整合 xssSniper
https://0kee.360.cn/domXss/

代码

项目路径 pydev\chrome-plugin-demo\local-storage-notifier

content-script.js

(function() {

    // 参考资料
    // https://www.cnblogs.com/liuxianan/p/chrome-plugin-develop.html
    // https://github.com/sxei/chrome-plugin-demo

    // 清空 chrome 中的 localStorage
    // chrome://setting 
    // 搜索 clear

    console.log('[PentestMATE] loading successfully!')

    if (localStorage.length > 0) {
        console.log("[PentestMATE] check localStorage.\nDelTools > Application > localStorage")

        // 为了防止 同源策略 下的网站重复弹窗
        // 如果成功检测后,会在 localStorage 中添加一个标记 PentestMATE_localStorage_FLAG
        // 如果检测到改标记就不会重复告警
        if (localStorage.getItem('PentestMATE_localStorage_FLAG') === null) {
            alert("[PentestMATE] check localStorage.\nDelTools > Application > localStorage")
            localStorage.setItem('PentestMATE_localStorage_FLAG', 1)
        }
    }

    if (sessionStorage.length > 0) {
        // alert("[PentestMATE] check sessionStorage.\nDelTools > Application > sessionStorage")
        console.log("[PentestMATE] check sessionStorage.\nDelTools > Application > sessionStorage")
    }

    console.log('[PentestMATE] detection end!')

})();

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.