Self‑HTML Injection in Total WebShield (Chrome Extension v3.2)


TL;DR:
Total WebShield (v3.2) fails to sanitize thecategory
URL‑parameter in its block page, allowing an attacker to inject arbitrary HTML into the extension’s UI. This can be abused to load remote content, phish users, or execute scripts in the context of the extension’s blocked‑page UI.Steps to Reproduce:
Install the extension and enable Total WebShield.
Visit any URL classified as malicious (e.g.
?category=malware
).Observe the block page with a reflected category label.
Construct URL with
category
set to encoded HTML iframe:
?category=%3Ciframe%20src=%22http://attacker.com/test.html%22%20%20%3E%20%3C/iframe%3E%20malware&url=BLANK&backStepCount=2
The injected iframe appears in the block page UI, rendering external content.
Introduction
Total WebShield, the URL‑blocking extension offered by TotalAV, displays a block page when it intercepts malicious or low‑trust websites. The category
parameter in the block page URL reflects payloads directly into the HTML without any input sanitization or output encoding. This allows arbitrary HTML injection, including iframe embedding, leading to an attacker‑controlled page being rendered within the extension context.
After installation, when Total WebShield blocks a site (e.g. for malware, phishing), it redirects the browser to an internal HTML page:
chrome-extension://bobjajapamhdnbnimmaddcceeckkoiff/app/webshield/index.html?category=malware&url=http%3A%2F%
2Fmaliciouswebsitetest.com
%2F&backStepCount=2
Vulnerability Details
Root Cause
The extension reads the
category
parameter fromlocation.search
, and writes it directly into the page’s inner HTML without any escaping or sanitization.Injection Point
In
index.html
(or its associated JavaScript), something like:const params = new URLSearchParams(window.location.search); const category = params.get('category') || 'unknown'; document.querySelector('#category-label').innerHTML = category;
Thus, any HTML in
category
is rendered unescaped.Proof of Concept (PoC)
Visit a “blocked page” URL crafted as follows:chrome-extension://bobjajapamhdnbnimmaddcceeckkoiff/app/webshield/index.html?category=%3Ciframe%20src=%22http://192.168.58.192/test.html%22%20%20%3E%20%3C/iframe%3E%20malware&url=BLANK&backStepCount=2
Alert from attacker‑hosted iframe confirming injection:
The block page displays the attacker’s iframe inline inside the extension.
This content is indistinguishable from legitimate UI content.
It does not trigger any alert or error in the browser.
Impact
This vulnerability opens the door to several types of abuse:
Phishing / social engineering: Display fake messages to trick users.
Clickjacking: Overlay misleading buttons or fake "Visit anyway" options.
Brand impersonation: Mimic official security messages or forms.
Potential escalation: While this is not a direct XSS vulnerability, combining it with other extension bugs could lead to code execution or privilege escalation.
Though <script>
tags are not executed (due to CSP), arbitrary HTML tags like <iframe>
, <img>
, or even <style>
are rendered as part of the DOM, which is enough for advanced manipulation or deception.
Recommendation
To fix this issue, the developers should:
Sanitize and escape all user-controlled input before inserting it into the DOM.
Replace
.innerHTML
assignments with.textContent
where applicable.Validate that the
category
parameter only contains expected values (e.g."malware"
,"phishing"
, etc.).Consider implementing a Content Security Policy (CSP) that restricts unsafe rendering behaviors.
Lessons Learned
Even browser extensions built for security can contain serious security bugs themselves. UI injection, even without JavaScript execution, can be dangerous in the right context.
Always validate and escape any untrusted data that touches the DOM, especially in extensions that run with high privileges and interact with the user directly.
Subscribe to my newsletter
Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.