Brave Browser Script Blocker Bypass Vulnerability

In this write-up, I want to share a vulnerability in Brave browser that I discovered a few days ago. Brave browser is an open-source browser, featuring ads blocking and tracking protection. It includes a built-in JavaScript blocker, which allows users to optionally block JavaScript on user-specified domains. I found a way to bypass that blocker.

The bug I discovered was inspired by the recently disclosed Tor Browser NoScript bypass vulnerability, CVE-2018–16983 [1]. The NoScript issue is: if you set the Content-Type of a webpage to text/html;/json, then this page can execute JavaScript even if users set the security level to “Safest” in Tor. NoScript is a Firefox plugin, while Brave was based on muon, a framework modified from Electron, so it is unlikely Brave’s built-in script blocker suffers from the same vulnerability. Nonetheless, I decided to test it on Brave anyway.

I wrote a very simple PoC:

In order to set Content-Type, I used Fiddler AutoResponder to hook a URL, like http://example.com/index.html:

It turned out <script>alert(1);</script>was executed, but <script src="js.js"></script>was blocked. Then I changed the Content-Type to the normal text/html. The outcome was the same. So it’s clear that Content-Type was irrelevant. External JavaScript file was correctly blocked, but inline JavaScript was mistakenly allowed, even if script was set to disabled.

Demo:

I reported this vulnerability to Brave Software on HackerOne on September 26, 2018. It was quickly triaged and fixed. The fixed version was released on October 8 in version 0.25.2. This vulnerability was also independently discovered by David Albert.

References

[1] https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/