NoScript is a plugin for Firefox that blocks JavaScript from executing from sites you haven’t manually trusted. This is to prevent XSS, Clickjacking and similar attacks. It’s widely known and recognized in the security community and has over 2 millions downloads at the Mozilla Addons site.
Yesterday I stumbled upon an article about a bypass for NoScript, the author had discovered that one of the domains that is whitelisted/trusted per default in NoScript wasn’t registered. He simply paid the $10 it cost to register the domain, pointed it to his own server and was able to bypass NoScript.
While this in itself is cool, what really got my attention is that he said subdomains of whitelisted domains are also whitelisted. If x.com is whitelisted, so is y.x.com. This was new information for me and something I wanted to act on.
The bypass
I downloaded the said plugin to Firefox and exported the list with default domains. My first thought was to try to find some interesting subdomain to any of these domains, such as an old forgotten domain still pointing to a service online.
But, when reading through the list I saw googleapis.com as one of the domains whitelisted. As all subdomains also are whitelisted, I understood storage.googleapis.com would work just fine. See where this is heading?
storage.googleapis.com is the domain you get to host files at when you’re using Google Cloud Storage. I shared my idea with Mathias Karlsson who immediately registered an account, uploaded an HTML file and confirmed my thoughts.
The file, just containing the code below, is hosted here:
https://storage.googleapis.com/zulln/alert.htm
<script>alert(1)</script>
Just by visiting the file JavaScript will execute, even if NoScript with default configuration is installed. As Google have a 60 days trial for Google Cloud Storage this bypass was also around $10 cheaper than the first bypass as this was completely free.
Reported to NoScript
I reported this to NoScript, they fixed it within a few hours by changing googleapis.com to ajax.googleapis.com. However, the fact that all subdomains are whitelisted is still true. My first concern about any of all subdomains being forgotten, an XSS at any of the subdomains or being able to otherwise upload HTML/JavaScript still stands as that still would bypass NoScript.