Brave Browser Script Blocker Bypass Vulnerability

Xiaoyin Liu
Oct 13, 2018 · 2 min read

In this write-up, I want to share a vulnerability in Brave browser that I discovered a few days ago. Brave browser is an open-source browser, featuring ads blocking and tracking protection. It includes a built-in JavaScript blocker, which allows users to optionally block JavaScript on user-specified domains. I found a way to bypass that blocker.

The bug I discovered was inspired by the recently disclosed Tor Browser NoScript bypass vulnerability, CVE-2018–16983 [1]. The NoScript issue is: if you set the Content-Type of a webpage to text/html;/json, then this page can execute JavaScript even if users set the security level to “Safest” in Tor. NoScript is a Firefox plugin, while Brave was based on muon, a framework modified from Electron, so it is unlikely Brave’s built-in script blocker suffers from the same vulnerability. Nonetheless, I decided to test it on Brave anyway.

I wrote a very simple PoC:

In order to set Content-Type, I used Fiddler AutoResponder to hook a URL, like http://example.com/index.html:

It turned out <script>alert(1);</script>was executed, but <script src="js.js"></script>was blocked. Then I changed the Content-Type to the normal text/html. The outcome was the same. So it’s clear that Content-Type was irrelevant. External JavaScript file was correctly blocked, but inline JavaScript was mistakenly allowed, even if script was set to disabled.

Demo:

I reported this vulnerability to Brave Software on HackerOne on September 26, 2018. It was quickly triaged and fixed. The fixed version was released on October 8 in version 0.25.2. This vulnerability was also independently discovered by David Albert.

References

[1] https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Xiaoyin Liu

Written by

info security enthusiast https://twitter.com/general_nfs

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Xiaoyin Liu

Written by

info security enthusiast https://twitter.com/general_nfs

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store