Summary
While giving a quick look to the code I noticed that the hostMatches
function used to verify if a given host is in the config.enterprise_domains
array is weak and could be easily bypassed.
Description
While visiting a website the extension reads the current hostname and calls the getDomainType
function in order to understand if, among the others, a green badge should be displayed or not, indicating that the website is a corporate one and should be trusted.
The getDomainType
calls under the hood the hostMatches
:
|
function hostMatches(host: string, domainList: string[]) { |
|
return domainList.some((domain) => { |
|
if (domain === host) { |
|
return true |
|
} |
|
if (starRegexp.exec(domain)) { |
|
const domainWithoutStar = domain.replace('*.', '') |
|
const mainDomainRegex = new RegExp(`.*?${domainWithoutStar}$`) |
|
return mainDomainRegex.test(host) |
|
} |
|
|
|
return false |
|
}) |
|
} |
It basically loops over all the domains stored in config.enterprise_domains
and:
- If the stored domain matches the visited one it returns true.
- If the stored domain is a wildcard one (i.e.
*.google.com
) it checks that the visited one ends with the wildcard domain without the *.
.
This approach is very weak because it would mark as an enterprise domain any domain ending with (in my example) google.com
(i.e. nomoregoogle.com
).
It should be also pointed out that using fake domains ending with the legit one is a very common phishing technique.
PoC
- Install the Phishcatch extension
- Set as
enterprise_domains
: ["*.google.com"]
- Visit https://nomoregoogle.com
- Notice that the green badge on the Phishcatch extension appears
Addendum
While writing this issue I also realized that as enterprise_domains
are threated as RegExp
then the .
character is evaluated as a wildcard. This means that if the enterprise_domains
contains ["*.nomor.google.com"]
then nomoregoogle.com
would be matched as an enterprise domain.