Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I'm in your browser, pwning your stuff

2,196 views

Published on

Security B-Sides Polska, 2012
https://github.com/koto/xsschef/
http://blog.kotowicz.net

Published in: Technology
  • ⇒ www.WritePaper.info ⇐ This service will write as best as they can. So you do not need to waste the time on rewritings.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • can direct copy link Create DOWNLOAD for free Kindle ===http://livresetops.icu/2360980076-Je-cre-mes-savons-au-naturel.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL eBOOK INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookeBOOK Crime, eeBOOK Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

I'm in your browser, pwning your stuff

  1. 1. I’m in your browser, pwning your stuff!Atakowanie poprzez rozszerzenia Google Chrome Krzysztof Kotowicz
  2. 2. /whoami• IT security consultant @ SecuRing• Web security research (BlackHat, BruCON, Confidence, ...)• blog.kotowicz.net• @kkotowicz
  3. 3. Plan• Po co atakować (poprzez) rozszerzenia Google Chrome?• Jak to robić?• Nie da się prościej?
  4. 4. Po co?
  5. 5. http://flic.kr/p/6xQTMD
  6. 6. http://www.flickr.com/photos/hans905/4124897248/in/photostream/
  7. 7. Same origin policy• XSS - wykonanie kodu w ramach origin ofiary “><script>alert(document.cookie)</script>• CSRF - wykonanie u ofiary akcji żądaniem z origin atakującego x = new XMLHttpRequest() x.open(“POST”, “//victim.pl”) x.send(“delete_account&id=1”)
  8. 8. http://www.flickr.com/photos/dimi15/707990005/in/photostream/Text
  9. 9. SOP bypass• //superevr.com/blog/2012/top-level- universal-xss/• //blog.detectify.com/post/32947196572/ universal-xss-in-opera• Rzadkie, ograniczone zastosowanie• Polegają na błędach w przeglądarkach
  10. 10. http://flic.kr/p/aqEx5Y
  11. 11. http://www.flickr.com/photos/iloveblue/3302032125/in/photostream/
  12. 12. Rozszerzenia Chrome• Aplikacje HTML5 • html, javascript, css• Spakowane do pliku .crx • podpisany zip• Instalacja poprzez Chrome Web Store • lub manualnie
  13. 13. Rozszerzenia Chrome• Uprawnienia określone w pliku manifest.json• Dostęp do wielu ważnych API • chrome.tabs • chrome.bookmarks • chrome.history • chrome.cookies • NPAPI plugins
  14. 14. Rozszerzenia Chrome• Rozszerzenia to aplikacje HTML• Te same klasy podatności • w tym XSS
  15. 15. Rozszerzenia Chrome• XSS w rozszerzeniu może oznaczać • UXSS • dostęp do historii URL • dostęp r/w do cookies • dostęp do plików • wykonanie dowolnego kodu
  16. 16. Jak?
  17. 17. DOM
  18. 18. DOMjs.js
  19. 19. DOMjs.js content script.js
  20. 20. content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inneDOM js.js
  21. 21. view.html content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inneDOM js.js
  22. 22. background.jsview.html content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inneDOM js.js
  23. 23. DOM view.html ge ate rHT tEl Ele M cre inne em m L background.jsjs.js en ent tB (), yId (), content script.js API cookies, history, tabs, plugins, ...
  24. 24. DOM view.html ge ate rHT tEl Ele M cre inne em m L background.jsjs.js en ent tB (), yId (), chrome.* content script.js API cookies, history, tabs, plugins, ...
  25. 25. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  26. 26. DOM view.htmljs.js background.js content script.js API
  27. 27. DOM view.htmljs.js background.js content script.js API
  28. 28. DOM view.htmljs.js background.js content script.js API
  29. 29. DOM view.htmljs.js background.js content script.js API
  30. 30. chrome.tabs.executeScript DOM view.htmljs.js background.js content script.js API
  31. 31. Podatności
  32. 32. XSS w content script• content script otrzymuje dane • z view • z DOM• umieszcza je bez escape’owania w DOM
  33. 33. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  34. 34. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  35. 35. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  36. 36. XSS w content script • Skutki: • dostęp do DOM • nieograniczony XHR DEMO - zzzap-itchrome.tabs.executeScript(null, { code: "(" + funcLaunchZzzapIt.toString() + ")(" + tab.url.replace("","") + ", " + tab.title.replace("","") + ", open)"});
  37. 37. XSS w view• content-script bierze dane z DOM strony• wysyła je do view• view wyświetla je bez escape’owania
  38. 38. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  39. 39. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  40. 40. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  41. 41. XSS w view • Skutki • możliwość persystencji w tle • dostęp do chrome.* API (limitowany uprawnieniami) DEMO - Slick RSS: feed finder<link rel="alternate" type="application/rss+xml"title="hello <img src=x onerror=payload>"href="/rss.rss">
  42. 42. Podatności w NPAPI• Zawartość ze strony trafia do view• View przekazuje ją do pluginu NPAPI• Wywołanie podatności w pluginie
  43. 43. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  44. 44. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  45. 45. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  46. 46. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  47. 47. Podatności w NPAPI • Przykład: cr-gpg 0.7.8string cmd = "c:windowssystem32cmd.exe /c ";cmd.append(gpgFileLocation);cmd.append("-e --armor");cmd.append(" --trust-model=always");for (unsigned int i = 0; i < peopleToSendTo.size(); i++){ cmd.append(" -r"); cmd.append(peopleToSendTo.at(i));}
  48. 48. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  49. 49. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  50. 50. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  51. 51. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  52. 52. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  53. 53. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  54. 54. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  55. 55. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  56. 56. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  57. 57. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  58. 58. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  59. 59. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  60. 60. Prościej?
  61. 61. • alert(1) - i co dalej?• Potrzebne narzędzie do automatyzacji• Jak BeEF, ale do eksploitacji rozszerzeń Chrome http://www.flickr.com/photos/josephwuorigami/3165180003/
  62. 62. Eksploitacja• Monitorowanie tabów• Wykonanie JS na każdym tabie• Wyciąganie HTML• Odczyt/zapis cookies• Manipulacja historią• Ustawienia proxy
  63. 63. Uruchamianie serwera$ php -vPHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42)Copyright (c) 1997-2012 The PHP GroupZend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans$ php server.php 2>command.logXSS ChEF serverby Krzysztof Kotowicz - kkotowicz at gmail dot comUsage: php server.php [port=8080] [host=127.0.0.1]Communication is logged to stderr, use php server.php [port] 2>log.txt2012-07-22 12:40:06 [info] Server created2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:80802012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1...
  64. 64. Hook code
  65. 65. Konsola
  66. 66. Wybór sesji
  67. 67. Payloady
  68. 68. Screenshoty
  69. 69. Pytania?• https://github.com/koto/xsschef• krzysztof@kotowicz.net• @kkotowicz

×