LET'S PWN A CHINESELET'S PWN A CHINESE
WEB BROWSER!WEB BROWSER!
DISOBEY 2019 — JUHO NURMINENDISOBEY 2019 — JUHO NURMINEN
I'm not my employer. My opinions aren't necessarily theirs. They haven't contributed to this
workshop, do not endorse it, and should not be held responsible for any outcomes.
The browsers we're about to look at are literally "made in China". Install and run them at
your own responsibility. They may invade your privacy, they may install other unwanted
so ware, and they may be diﬀicult to uninstall properly. Using a disposable VM is highly
In fact, anything you do in this workshop is at your own responsibility. Even if I tell you to do
so. I don't have permission from any vendors and I Am Not A Lawyer.
Any vulnerabilities you find are yours to keep. I suggest reporting them to the vendor and/or
a CERT of your choice. I can help in finding the right contacts, but it's your call.
YOUR INSTRUCTORYOUR INSTRUCTOR
Web & mobile hacker — Specialist @ 2NS
Browser hacker — several CVEs in
Chrome, Firefox, Safari
Antivirus hacker — Disobey 2018
CHROME DEVTOOLS & F12CHROME DEVTOOLS & F12
DEVELOPER TOOLSDEVELOPER TOOLS
Launch from a menu item or press F12
Debugger is handy, too
PORTSWIGGER'S RENDERINGPORTSWIGGER'S RENDERING
ENGINE HACKABILITY PROBEENGINE HACKABILITY PROBE
"Rendering Engine Hackability Probe performs a
variety of tests to discover what the unknown
rendering engine supports."
Helps you quickly spot non-standard APIs
BADSSL.COM & SSLLABS.COMBADSSL.COM & SSLLABS.COM
Badssl.com: contains lots of subdomains that should
trigger an SSL error
SSL labs' client test: lists the ciphers and other
features your SSL client supports
PROCESS EXPLORER, NETSTAT,PROCESS EXPLORER, NETSTAT,
The usual stuﬀ for that can help you understand a
Figure out what processes an app is launching, what
files it's accessing and who it's talking to
Is your browser running a TCP server? It probably
Architecture: Chrome with extras glued on top? Custom browser
Custom features: What are there? How are they implemented?
Error messages: origin, exposed APIs, XCS
Browser-internal URI schemes
Restricted URI schemes
Framing settings pages, error messages?
Extensions: Are they supported? WebExtensions or something
else? Custom APIs?
APIs exposed to web (Hackability & external object)
Privileged web pages: Extension gallery? Sync and sharing