SlideShare a Scribd company logo

I'm in your browser, pwning your stuff

Security B-Sides Polska, 2012 https://github.com/koto/xsschef/ http://blog.kotowicz.net

1 of 75
Download to read offline
I’m in your browser,
 pwning your stuff!
Atakowanie poprzez rozszerzenia Google Chrome

             Krzysztof Kotowicz
/whoami

• IT security consultant @ SecuRing
• Web security research
  (BlackHat, BruCON, Confidence, ...)
• blog.kotowicz.net
• @kkotowicz
Plan

• Po co atakować (poprzez) rozszerzenia
  Google Chrome?
• Jak to robić?
• Nie da się prościej?
Po co?
http://flic.kr/p/6xQTMD
http://www.flickr.com/photos/hans905/4124897248/in/photostream/
Ad

Recommended

ピグライフ と node.js
ピグライフ と node.jsピグライフ と node.js
ピグライフ と node.jsSuguru Namura
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Krzysztof Kotowicz
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Krzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 

More Related Content

More from Krzysztof Kotowicz

Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comesKrzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptKrzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 

More from Krzysztof Kotowicz (10)

Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 

I'm in your browser, pwning your stuff

  • 1. I’m in your browser, pwning your stuff! Atakowanie poprzez rozszerzenia Google Chrome Krzysztof Kotowicz
  • 2. /whoami • IT security consultant @ SecuRing • Web security research (BlackHat, BruCON, Confidence, ...) • blog.kotowicz.net • @kkotowicz
  • 3. Plan • Po co atakować (poprzez) rozszerzenia Google Chrome? • Jak to robić? • Nie da się prościej?
  • 7. Same origin policy • XSS - wykonanie kodu w ramach origin ofiary “><script>alert(document.cookie)</script> • CSRF - wykonanie u ofiary akcji żądaniem z origin atakującego x = new XMLHttpRequest() x.open(“POST”, “//victim.pl”) x.send(“delete_account&id=1”)
  • 9. SOP bypass • //superevr.com/blog/2012/top-level- universal-xss/ • //blog.detectify.com/post/32947196572/ universal-xss-in-opera • Rzadkie, ograniczone zastosowanie • Polegają na błędach w przeglądarkach
  • 13. Rozszerzenia Chrome • Aplikacje HTML5 • html, javascript, css • Spakowane do pliku .crx • podpisany zip • Instalacja poprzez Chrome Web Store • lub manualnie
  • 14. Rozszerzenia Chrome • Uprawnienia określone w pliku manifest.json • Dostęp do wielu ważnych API • chrome.tabs • chrome.bookmarks • chrome.history • chrome.cookies • NPAPI plugins
  • 15. Rozszerzenia Chrome • Rozszerzenia to aplikacje HTML • Te same klasy podatności • w tym XSS
  • 16. Rozszerzenia Chrome • XSS w rozszerzeniu może oznaczać • UXSS • dostęp do historii URL • dostęp r/w do cookies • dostęp do plików • wykonanie dowolnego kodu
  • 18. Jak?
  • 20. DOM
  • 22. DOM js.js content script.js
  • 23. content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inne DOM js.js
  • 24. view.html content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inne DOM js.js
  • 25. background.js view.html content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inne DOM js.js
  • 26. DOM view.html ge ate rHT tEl Ele M cre inne em m L background.js js.js en ent tB (), yId (), content script.js API cookies, history, tabs, plugins, ...
  • 27. DOM view.html ge ate rHT tEl Ele M cre inne em m L background.js js.js en ent tB (), yId (), chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 28. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 29. DOM view.html js.js background.js content script.js API
  • 30. DOM view.html js.js background.js content script.js API
  • 31. DOM view.html js.js background.js content script.js API
  • 32. DOM view.html js.js background.js content script.js API
  • 33. chrome.tabs.executeScript DOM view.html js.js background.js content script.js API
  • 35. XSS w content script • content script otrzymuje dane • z view • z DOM • umieszcza je bez escape’owania w DOM
  • 36. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 37. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 38. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 39. XSS w content script • Skutki: • dostęp do DOM • nieograniczony XHR DEMO - zzzap-it chrome.tabs.executeScript(null, { code: "(" + funcLaunchZzzapIt.toString() + ")('" + tab.url.replace("'","'") + "', '" + tab.title.replace("'","'") + "', 'open')" });
  • 40. XSS w view • content-script bierze dane z DOM strony • wysyła je do view • view wyświetla je bez escape’owania
  • 41. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 42. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 43. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 44. XSS w view • Skutki • możliwość persystencji w tle • dostęp do chrome.* API (limitowany uprawnieniami) DEMO - Slick RSS: feed finder <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss">
  • 45. Podatności w NPAPI • Zawartość ze strony trafia do view • View przekazuje ją do pluginu NPAPI • Wywołanie podatności w pluginie
  • 46. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  • 47. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  • 48. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  • 49. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  • 51. Podatności w NPAPI • Przykład: cr-gpg 0.7.8 string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); }
  • 52. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 53. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 54. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 55. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 56. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 57. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 58. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 59. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 60. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 61. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 62. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 63. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.js js.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 65. • alert(1) - i co dalej? • Potrzebne narzędzie do automatyzacji • Jak BeEF, ale do eksploitacji rozszerzeń Chrome http://www.flickr.com/photos/josephwuorigami/3165180003/
  • 67. Eksploitacja • Monitorowanie tabów • Wykonanie JS na każdym tabie • Wyciąganie HTML • Odczyt/zapis cookies • Manipulacja historią • Ustawienia proxy
  • 68. Uruchamianie serwera $ php -v PHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans $ php server.php 2>command.log XSS ChEF server by Krzysztof Kotowicz - kkotowicz at gmail dot com Usage: php server.php [port=8080] [host=127.0.0.1] Communication is logged to stderr, use php server.php [port] 2>log.txt 2012-07-22 12:40:06 [info] Server created 2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:8080 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent 2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1 ...