Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper

2018-06-08T02:24:01
ID THEHACKERBLOG:218406AED105DBC8E9C905E4829EE58F
Type thehackerblog
Reporter mandatory
Modified 2018-06-08T02:24:01

Description

Summary The “Steam Inventory Helper” Chrome extension version 1.13.6 suffered from both a DOM-based Cross-site Scripting (XSS) and a clickjacking vulnerability. By combining these vulnerabilities it is possible to gain JavaScript code execution in the highly-privileged context of the extension's background page. Due to the extension declaring the “<all_urls>” permission, this vulnerability can be exploited… Read More