Escaping Misconfigured VSCode Extensions (2023)
4 days ago
- #VSCode
- #Webview
- #Security
- Disclosure of vulnerabilities in VSCode extensions and VSCode itself, including CVE-2022-41042 with a $7,500 bounty.
- Exploration of VSCode Webviews and their security model, including sandboxing and communication mechanisms.
- Three vulnerabilities identified: HTML/JavaScript injection in SARIF viewer, HTML/JavaScript injection in Live Preview, and path traversal in Live Preview's local HTTP server.
- Exploitation techniques include DNS prefetching for file exfiltration, srcdoc iframes for JavaScript execution, and DNS rebinding for remote attacks.
- Recommendations for securing VSCode Webviews, emphasizing CSP restrictions, localResourceRoots configuration, and secure postMessage handlers.