| Title | Total WebShield Chrome Antivirus Protection v3.2.0 Client‑side Self‑HTML Injection |
|---|
| Description | 1. Introduction:
- Total AV extension (version 3.2): Link https://chromewebstore.google.com/detail/total-webshield-chrome-an/bobjajapamhdnbnimmaddcceeckkoiff?hl=en-US&utm_source=ext_sidebar
- Total WebShield, the URL‑blocking extension offered by TotalAV, displays a block page when it intercepts malicious or low‑trust websites. The category parameter in the block page URL reflects payloads directly into the HTML without any input sanitization or output encoding. This allows arbitrary HTML injection, including iframe embedding, leading to an attacker‑controlled page being rendered within the extension context.
--------
2. Vulnerability Details:
- After install and enable extension (it has a button that requires enabling after install), access to any malicious website (that this extension can detect) is going to be blocked like this
chrome-extension://bobjajapamhdnbnimmaddcceeckkoiff/app/webshield/index.html?category=malware&url=http%3A%2F%2Fmaliciouswebsitetest.com%2F&backStepCount=2
- Value of Category is not validated or sanitized. It’s vulnerable to Self HTML Injection.
- HTML injection is going to be like this
chrome-extension://bobjajapamhdnbnimmaddcceeckkoiff/app/webshield/index.html?category=%3Ciframe%20src=%22http://192.168.58.192/test.html%22%20%20%3E%20%3C/iframe%3E%20malware&url=BLANK&backStepCount=2
=> Root Cause: The extension reads the category parameter from location.search, and writes it directly into the page’s inner HTML without any escaping or sanitization.
--------
3. Impact:
- This vulnerability opens the door to several types of abuse:
+ Phishing / social engineering: Display fake messages to trick users.
+ Clickjacking: Overlay misleading buttons or fake "Visit anyway" options.
+ Brand impersonation: Mimic official security messages or forms.
+ Potential escalation: While this is not a direct XSS vulnerability, combining it with other extension bugs could lead to code execution or privilege escalation.
--------
4. Recommendation
- To fix this issue, the developers should:
+ Sanitize and escape all user-controlled input before inserting it into the DOM.
+ Replace .innerHTML assignments with .textContent where applicable.
+ Validate that the category parameter only contains expected values (e.g. "malware", "phishing", etc.).
+ Consider implementing a Content Security Policy (CSP) that restricts unsafe rendering behaviors. |
|---|
| Source | ⚠️ https://news.fmisec.com/self-html-injection-in-total-webshield-chrome-extension |
|---|
| User | KhoaDao-FPT-Metrodata-Indonesia (UID 88374) |
|---|
| Submission | 07/27/2025 11:07 (9 months ago) |
|---|
| Moderation | 08/08/2025 13:38 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319245 [Protected Total WebShield Extension up to 3.2.0 on Chrome Block Page Category cross site scripting] |
|---|
| Points | 17 |
|---|