This document discusses threats posed by malicious Chrome extensions and proposes countermeasures. It begins by noting that extensions have been used to increase attacks in other browsers. While Chrome has security models like least privilege and isolation, experiments showed extensions can still enable attacks like email spamming, DDoS, and phishing. The document analyzes Chrome's permission and trust models, finding content scripts have too much privilege. It concludes by proposing a strengthened permission model following least privilege more strictly to improve security against malware extensions.
HTML5 introduces significant changes for today\'s websites: new and updated tags, new functionality, better error handling and improved Document Object Model (DOM). However, the HTML5 new features come with new (application) security vulnerabilities. This presentation reviews the new attack vectors, associated risks and what a needs to be taken into consideration when implementing HTML5.
Mobile applications Development - Lecture 17
Server-Side Programming Primer:
REST
Web Sockets
Server-sent Events
This presentation has been developed in the context of the Mobile Applications Development course at the Computer Science Department of the University of L’Aquila (Italy).
http://www.di.univaq.it/malavolta
HTML5 introduces significant changes for today\'s websites: new and updated tags, new functionality, better error handling and improved Document Object Model (DOM). However, the HTML5 new features come with new (application) security vulnerabilities. This presentation reviews the new attack vectors, associated risks and what a needs to be taken into consideration when implementing HTML5.
Mobile applications Development - Lecture 17
Server-Side Programming Primer:
REST
Web Sockets
Server-sent Events
This presentation has been developed in the context of the Mobile Applications Development course at the Computer Science Department of the University of L’Aquila (Italy).
http://www.di.univaq.it/malavolta
Sizing an alfresco infrastructure has always been an interesting topic with lots of unrevealed questions. There is no perfect formula that can accurately define what is the perfect sizing for your architecture considering your use case. However, we can provide you with valuable guidance on how to size your Alfresco solution, by asking the right questions, collecting the right numbers, and taking the right assumptions on a very interesting sizing exercise.
How many alfresco servers will you need on your alfresco cluster? How many CPUs/cores do you need on those servers to handle your estimated user concurrency? How do you estimate the sizing and growth of your storage? How much memory do you need on your Solr servers? How many Solr servers do you need to get the response times you require? What are the golden rules that can drive and maintain the success of an Alfresco project?
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService FunctionalityRob Tweed
This is Part 45 of the EWD Training Course. In this presentation we'll examine in detail the advanced MicroService capabilities of QEWD, eg dynamic routes, templated paths, custom response handling and chained MicroServices
Security breaches are becoming more common in today’s world, from large vulnerable corporations being attacked to cyber attacks causing physical damage. With Drupal becoming increasingly more popular, it has become a perfect target for these automated attacks. Last year's SA-CORE-2014-005 vulnerability has demonstrated that hackers have learned how to take advantage of Drupal’s functionality to infect a site and remain unnoticed.
Site builders and maintainers have a large role to play in preventing these kinds of disasters. With a solid knowledge base of the most common security threats, developers can quickly identify those security issues and learn how to address them. In this webinar, learn about how to protect your Drupal site against security threats, with topics including:
- How Drupal can protect against DDoS attacks
- Configuration mistakes that make you vulnerable, and how to avoid them
- Fast updates: the single most important security element
Security improvements in Drupal 8
- Modules to enhance security and evaluating contributed module quality
Sizing an alfresco infrastructure has always been an interesting topic with lots of unrevealed questions. There is no perfect formula that can accurately define what is the perfect sizing for your architecture considering your use case. However, we can provide you with valuable guidance on how to size your Alfresco solution, by asking the right questions, collecting the right numbers, and taking the right assumptions on a very interesting sizing exercise.
How many alfresco servers will you need on your alfresco cluster? How many CPUs/cores do you need on those servers to handle your estimated user concurrency? How do you estimate the sizing and growth of your storage? How much memory do you need on your Solr servers? How many Solr servers do you need to get the response times you require? What are the golden rules that can drive and maintain the success of an Alfresco project?
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
EWD 3 Training Course Part 45: Using QEWD's Advanced MicroService FunctionalityRob Tweed
This is Part 45 of the EWD Training Course. In this presentation we'll examine in detail the advanced MicroService capabilities of QEWD, eg dynamic routes, templated paths, custom response handling and chained MicroServices
Security breaches are becoming more common in today’s world, from large vulnerable corporations being attacked to cyber attacks causing physical damage. With Drupal becoming increasingly more popular, it has become a perfect target for these automated attacks. Last year's SA-CORE-2014-005 vulnerability has demonstrated that hackers have learned how to take advantage of Drupal’s functionality to infect a site and remain unnoticed.
Site builders and maintainers have a large role to play in preventing these kinds of disasters. With a solid knowledge base of the most common security threats, developers can quickly identify those security issues and learn how to address them. In this webinar, learn about how to protect your Drupal site against security threats, with topics including:
- How Drupal can protect against DDoS attacks
- Configuration mistakes that make you vulnerable, and how to avoid them
- Fast updates: the single most important security element
Security improvements in Drupal 8
- Modules to enhance security and evaluating contributed module quality
Build your own Chrome Extension with AngularJSflrent
What are Chrome Extensions?
What can you do?
Explanation of Content scripts, Background pages and Popup
Use Angular with CSP mode
Build and distribute your app
Same-origin policy is an important security concept of the modern browser languages like JavaScript but becomes an obstacle for developers when building complex client-side apps. Over time there have been lots of ingenious workarounds using JSON-P, IFRAME and proxies. As of January 2013 the well known Cross Origin Resource Sharing (CORS) comes as proposed standard by W3C and has now native support by all major browsers.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
Deep Dive on Lambda@Edge - August 2017 AWS Online Tech TalksAmazon Web Services
Learning Objectives:
- Learn how you can use Lambda@Edge and Amazon CloudFront to deliver richer, more personalized content with low latency to your customers
- Learn how you can use serverless coding across Amazon's network of edge locations
- Find out from our customers how they are using Lambda@Edge
Today, developers have to forward requests from distributed CDN endpoints back to compute resources at their centralized servers in order to do any customized processing, slowing down the end user experience. The Lambda-based processing model allows you to write JavaScript code that runs within the growing network of AWS edge locations. In this tech talk, we will provide a deep dive on the capabilities of Lambda@Edge and its use cases.
Palestra ministrada no OWASP Floripa Day - Florianópolis - SC |
A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).
This presentation describes the principles behind Sahi, the best automation tool for cross browser testing of complex AJAX applications. The video is available here: http://www.youtube.com/watch?v=Fue5unKjuCM
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms. In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.
Attendees will learn the best web application security practices used by major US government entities. The presentation will cover network configuration, caching, replication, common web application vulnerabilities, and how making these changes will result in better web site performance and user satisfaction. The five most common types of web application attacks will be explained, along with simple ways to prevent them.
Enterprise WordPress - Performance, Scalability and RedundancyJohn Giaconia
Slides on how to build your WordPress site so that it performs like an enterprise application.
Associated video: http://wordpress.tv/2014/06/25/john-giaconia-enterprise-wordpress-performance-scalability-and-redundancy/
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Chrome extensions threat analysis and countermeasures
1. Chrome
Extensions:
Threat
Analysis
and
Countermeasures
Lei
Liu,
Xinwen
Zhang*,
Guanhua
Yan*,
and
Songqing
Chen
George
Mason
University
Huawei
R&D
Center
Los
Alamos
NaIonal
Laboratory
NDSS’12
*
Does
not
represent
employer’s
opinion
2. AOacks
via
Extensions
• Extension
is
the
vehicle
for
increasing
aOacks
• BHO/add-‐on
is
the
one
of
the
techniques
used
by
many
spyware
writers
in
IE.
• Kida
et
al’05,
CERT’05,
Egele’07,
Li’07,
Guha’11
• Abusing
of
Firefox
extensions
has
been
widely
recognized
and
studied
in
literature
• Defcon’09,
Ter-‐Louw’08,
Dhawan’09,
Bandhakav’10,
Djeric’10,
Guha’11
3. AOacks
via
Chrome
Extensions
• Buggy
Chrome
extensions
have
been
idenIfied
recently
• 27
out
of
100
leak
data
– hOp://www.adrienneporterfelt.com/blog/?p=226_
• Malicious
extensions
have
appeared
4. Problem
Statement
• Why
Chrome
extension?
– Chrome
has
built-‐in
security
model
for
browser
architecture
and
extension
• Is
current
Chrome
extension
architecture
good
enough?
– ParIcularly
with
the
consideraIon
of
malicious
extensions
• Easy
to
launch
malicious
extensions:
– It
is
a
difficult
task
to
saniIze
rapidly
increasing
extensions
in
Google
Chrome
Web
Store
with
slow
reviewing
process
– Users
are
free
to
download/install
extensions
from
many
(known/unknown)
host
servers
– Strong
incenIve
for
aOackers,
e.g.,
• harvest
sensiIve
content
in
web
pages
• Modify
web
search
content
• Google
takes
acIons
against
malicious
extension
developers
– singup
fee
for
developers
– Domain
verificaIon
for
developers
• Problem:
Can
we
have
a
technical
soluIon?
– Or
improvement
of
current
permission
model
for
beOer
security
with
malware
extension?
5. ContribuIons
• We
demonstrate
several
aOacks
with
malicious
Chrome
extensions
through
experimental
implementaIon
• We
do
security
analysis
of
the
permission
model
of
Chrome
extension
– With
the
assumpIon
of
malicious
extensions
• We
propose
security
enhanced
extension
permission
model
and
enforcement
mechanism
– Following
the
principles
of
least
privilege
and
separaIon
of
privilege
in
more
strict
way
6. Chrome
Extension
Architecture
Extension
(HTML/Javascript)
NaIve
code
Process
boundary
Process
boundary
installaIon
Extension
gallery
Render
Content
Script
(java
script)
Isolated
World
DOM
JS
Cookies
Localstorage
Web
server
7. Chrome
Extension
Security
Model
• Least
Privilege
– Pre-‐defined
permission
set
(e.g.,.
To
access
web
sites,
browser
tab,
bookmarks,
history,
…)
– Each
extension
declares
permissions
required
– User
authorizes
permissions
at
installaIon
Ime
• Privilege
SeparaIon
– Different
permissions
for
different
components
of
extension
– Content
script
can
interact
with
web
content,
not
browser
modules
– Extension
core
has
more
privileges,
but
insulated
from
web
pages
• Strong
isolaIon
– Same
origin
policy
• Each
extension
has
unique
origin
• Accessing
other
origins
requires
cross-‐site
permissions
• Inject
content
script
requires
cross-‐site
permissions
– Process-‐level
isolaIon:
extension
core
runs
in
separated
process
from
renderer
and
browser
– Within
a
renderer
process,
content
script
runs
in
isolated
world
from
Javascript
of
web
page
8. Chrome
Extension
Trust
Model
• The
main
trust
model
of
Chrome
extension
assumes
trusted
but
buggy
extensions
• But
malicious
web
pages
• Therefore
the
security
objecIves
are
mainly
for
restricIng
web
pages
to
access
browser
resources
via
extensions
• And
confine
the
damage
propagaIon
if
possible
9. Experimental
AOacks
• We
develop
a
malicious
extension
as
a
bot
–
from
Chrome
7
to
the
latest
– does
email
spamming,
DDoS,
and
phishing
aOacks
easily
• Through
aOacking
web
pages
– Receive
commands
from
bot
master
with
built-‐in
update
mechanism
of
Chrome
extension
• No
security
check
for
update
10. Email
Spamming
update
site
Browser
Extension
Webmail
server
Upload
update
manipulate
POST
download
update
POST
13. Security
Analysis
• Trust
Model:
– We
assume
browser
kernel
and
pulgins
are
trustworthy
– Sandbox
mechanism
provided
by
OS
works
well
– NaIve
code
for
extensions
is
sandboxed
– Web
apps
are
trusted
• Threat
model:
malicious
extensions
– Extension
core
– Content
scripts
14. Cross-‐site
Forgery
with
Content
Script
Extension
(HTML/Javascript)
Render
Content
Script
(java
script)
Isolated
World
DOM
Process
boundary
JS
Cookies
Localstorage
Web
server
• A
content
script
injected
into
web
page
can
arbitrary
access
the
origin
of
the
page
• All
user
credenIals
associated
with
the
origin
can
be
included
in
an
HTTP
req
• Since
the
origin
of
the
content
script
is
usually
not
that
of
the
web
page
– This
is
a
Cross-‐site
Forgery
Req
– The
email
spamming
aOack
leverages
this
• Default
privileges
of
content
script
are
not
least
15. Cross-‐site
Requests
with
Extension
Core
Extension
(HTML/Javascript)
Render
Content
Script
(java
script)
Isolated
World
Process
boundary
Web
server
Content
Script
(java
script)
Isolated
World
Process
boundary
• Cross-‐site
reqs
via
content
scripts
through
extension
core
• The
extension
core
can
file
cross-‐site
HTTP
reqs
to
mulIple
origins
– Cross-‐site
permissions
are
authorized
in
order
to
inject
content
scripts.
• Default
privileges
of
extension
core
are
not
least
• No
differenIated
permission
of
extension
core
and
content
script
– Inject
scripts
vs.
cross-‐site
reqs
16. Cross-‐site
Requests
with
Content
Scripts
Extension
(HTML/Javascript)
Render
Content
Script
(java
script)
Isolated
World
Process
boundary
JS
Cookies
Localstorage
Web
server
DOM
• Without
cross-‐site
permission,
a
running
content
script
can
only
make
HTTP
reqs
to
the
origin
of
the
tab
page
• However,
since
content
script
has
full
privileges
of
DOM,
it
can
file
unlimited
cross-‐site
HTTP
reqs
to
arbitrary
origin,
e.g.,
– Insert
iframe
– Load
img
– Modify
src
of
DOM
objects
– With
user
credenIals
included
in
the
req
• Loading
of
new
DOM
objects
results
in
cross-‐site
reqs
• Privilege
to
access
DOM
is
not
least
for
content
script
17. UndifferenIated
Permissions
Extension
(HTML/Javascript)
Render
Content
Script
(java
script)
Isolated
World
Process
boundary
JS
Cookies
Localstorage
Web
server
DOM
permissions”:
[“hOp://*/
*”
]
• An
extension
may
inject
content
script
to
many
origins
– It
does
not
need
to
file
HTTP
reqs
to
all
origins
– But
only
to
a
dedicated
one,
e.g.,
a
translaIon
web
service
• When
an
origin
is
assigned
to
extension,
all
components
get
the
full
privileges
– Extension
core
can
file
cross-‐site
reqs
freely
– Content
script
can
arbitrarily
modify
the
DOM,
and
file
cross-‐sit
reqs
• Privilege
separaIon
is
not
fine-‐grained
enough
19
out
of
30
most
popular
extensions
have
this
type
of
over
privileges
18. Security
Enhanced
Chrome
Extensions
• Micro-‐privilege
management
• DifferenIate
DOM
elements
with
sensiIvity
19. Micro-‐privilege
Management
• More
fine-‐grained
permission
definiIon
and
enforcement
• Fine-‐grained
permission
differenIaIon
for
extension
core
and
content
script
– Permission
specs
are
separated
from
different
components
• Least
default
privileges
– Content
script
cannot
introduce
new
origin
to
DOM
– no
HTTP
req
to
tab
origin
21. DifferenIaIng
DOM
Elements
• To
further
reduce
possible
sensiIve
data
leakage
by
content
script,
DOM
elements
can
be
differenIated
with
sensiIvity
levels
• A
web
app
developer
can
idenIfy
sensiIve
informaIon
in
a
web
page,
e.g.,
– High
level
data:
only
can
flow
to
web
origin
– Medium
level:
may
flow
to
authorized
origins
– Low
level
(default):
can
flow
to
any
origin
• An
extension
developer
can
specify
permissions
accordingly:
– E.g.,
HIGH
for
username/pw,
MEDIUM
for
other
user
info
22. ImplementaIon
• We
have
implemented
the
micro-‐privilege
management
and
spec.
• For
DOM
sensiIvity,
we
develop
a
helper
extension
(trusted):
– To
idenIfy
and
label
sensiIve
DOM
elements
– Re-‐write
DOM
element
properIes
• According
to
configurable
dicIonary
– Chrome
enforces
permission
check
based
on
extension
manifest
– Explicitly
mark
sensiIve
info
by
web
app
developer
is
not
pracIcal
right
now
24. EvaluaIon
• We
selected
30
most
popular
extensions
from
Google
extension
gallery
– 24
of
them
have
granted
network
access
– 19
of
them
request
higher
privileges
than
necessary
(hOp://*/*)
• Our
implementaIon
easily
changes
their
spec
to
reduce
privileges
25. EvaluaIon
• Our
implementaIon
blocks
all
experimental
aOacks
on
the
bot
extension.
26. Conclusions
• Demonstrated
spamming,
phishing,
and
DDoS
aOacks
with
implemented
Chrome
extensions
• Analyzed
the
permissions
model
that
causes
these
problems
• Proposed
security
enhanced
permission
model
and
enforcement
for
Chrome
extension
architecture
– Micro-‐privileged
permission
management
and
spec
– DifferenIate
content
script’s
permission
with
DOM
sensiIvity
levels