Download as PDF, PPTX
![OWASP
Chrome Extensions - manifest
Manifest lists permissions, UI pages, content scripts
7
{
"manifest_version": 2,
"name": "Sample Extension",
"content_scripts": [
{
"matches": ["http://www.google.com/*"],
"js": ["jquery.js", "myscript.js"]
}
],
"background": {
"page": "background.html"
},
"permissions": [
"tabs",
"bookmarks",
"cookies"
"http://*/*",
"https://*/*",
]
}](https://image.slidesharecdn.com/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01/75/I-m-in-ur-browser-pwning-your-stuff-Attacking-with-Google-Chrome-Extensions-7-2048.jpg)
![OWASP
Content script XSS
website CSP bypass
“Content scripts can also make cross-site
XMLHttpRequests to the same sites as their parent
extensions”
http://developer.chrome.com/extensions/
content_scripts.html
29
"permissions": [
"http://*/*",
"https://*/*",
]](https://image.slidesharecdn.com/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01/75/I-m-in-ur-browser-pwning-your-stuff-Attacking-with-Google-Chrome-Extensions-35-2048.jpg)
![OWASP
Content script XSS
website CSP bypass
“Content scripts can also make cross-site
XMLHttpRequests to the same sites as their parent
extensions”
http://developer.chrome.com/extensions/
content_scripts.html
29
"permissions": [
"http://*/*",
"https://*/*",
]
40%](https://image.slidesharecdn.com/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01/75/I-m-in-ur-browser-pwning-your-stuff-Attacking-with-Google-Chrome-Extensions-36-2048.jpg)
![OWASP
EOF
@kkotowicz
http://blog.kotowicz.net
https://github.com/koto
More research:
Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black
Hat 2011)
http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf
http://kotowicz.net/bh2012/advanced-chrome-extension-
exploitation-osborn-kotowicz.pdf
Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec,
@johnwilander, @garethheyes, @antisnatchor,
@freddyb,@internot_, @pdjstone, ....
38](https://image.slidesharecdn.com/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01/75/I-m-in-ur-browser-pwning-your-stuff-Attacking-with-Google-Chrome-Extensions-49-2048.jpg)
Uploaded byKrzysztof Kotowicz
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
This document discusses attacking Chrome extensions through exploiting vulnerabilities in their architecture and code. It begins by explaining the components and permissions model of Chrome extensions. It then describes how to exploit vulnerabilities like DOM XSS in extensions' UI pages under the legacy v1 model. The document outlines fixes made in the v2 model but still finds ways to bypass security restrictions, such as through content script XSS. It introduces tools like XSSChEF and Mosquito for exploiting extensions. The presentation concludes by noting CSP should only be seen as a mitigation rather than prevention for extension vulnerabilities.
In this document
Powered by AI
Introduction to OWASP, its purpose, and speaker's background in security research and consulting.
Overview of Chrome Extensions architecture, components, manifest file, and their interaction with APIs.
Exploration of exploitation techniques of v1 extensions, focusing on UI page DOM XSS vulnerabilities and their impact.
Introduction of Manifest V2 improvements for security, particularly around content security policy and exploitation challenges.
Discussion on content script XSS vulnerabilities, allowing to bypass CSP, and presentation of exploitation tools.
Discussion on vulnerabilities within NPAPI plugins, their impact, and how they can lead to exploitation.
Summary of findings regarding Chrome extensions' vulnerabilities and potential avenues for further research.
More Related Content
Similar to I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
![[2.1] Web application Security Trends - Omar Ganiev](https://cdn.slidesharecdn.com/ss_thumbnails/2-150301070554-conversion-gate02-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-themodernstackbuildingwebaiapplicationswithserverless-251124030844-388cf04f-thumbnail.jpg?width=640&height=640&fit=bounds)
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
- 1. Copyright 2007 ©The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org I'm in ur browser, pwning your stuff Attacking (with) Google Chrome extensions Krzysztof Kotowicz SecuRing kkotowicz@securing.pl
- 2. OWASP About me Security research clientside security HTML5 UI redressing Chrome extensions Black Hat USA, BruCON, Hack in Paris, CONFidence, ... IT security consultant @ SecuRing web app, mobile pentests security code reviews 2
- 3. OWASP Plan 3 Chrome Extensions architecture Exploitinglegacy (v1) extensions Manifest v2 fixes Exploiting v2 extensions "Break The Batman Part 3" by Eric Merced / Eric Merced aka stickfiguredancer
- 4. OWASP Chrome Extensions Notplugins (Java, Flash, ...) HTML5 applications html, javascript, css Installed from Chrome Web Store Access to privileged API chrome.tabs chrome.bookmarks chrome.history chrome.cookies 4
- 5. OWASP Chrome Extensions -components UI pages background page option pages extension UI Content scripts run alongside website interaction with websites 5
- 6. OWASP 6 Diagram byWade Alcorn. Thanks!
- 7. OWASP Chrome Extensions -manifest Manifest lists permissions, UI pages, content scripts 7 { "manifest_version": 2, "name": "Sample Extension", "content_scripts": [ { "matches": ["http://www.google.com/*"], "js": ["jquery.js", "myscript.js"] } ], "background": { "page": "background.html" }, "permissions": [ "tabs", "bookmarks", "cookies" "http://*/*", "https://*/*", ] }
- 8. OWASP Chrome Extensions -restrictions 8 scheme websites chrome API UI page content script chrome- extension:// - ✔ limited by permissions http:// ✔ limited by URL -
- 9.
- 10.
- 11. OWASP UI page DOMXSS content-script takes data off website DOM sends it to UI page view fails to escape data upon viewing it cross-zone DOM XSS 11
- 12.
- 13.
- 14.
- 15. OWASP UI page DOMXSS Consequences XSS in chrome-extension:// access to chrome.* API 13 Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
- 16. OWASP UI page DOMXSS Consequences XSS in chrome-extension:// access to chrome.* API 13 <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
- 17. OWASP Exploiting UI pageXSS Chrome Extension Exploitation Framework BEEF for Chrome extensions 14 https://github.com/koto/xsschef
- 18.
- 19.
- 20.
- 21.
- 22. OWASP Chrome extensions v1summary UI page XSS is very common note taking developer tools RSS readers Each XSS has big impact How do you eradicate XSS without relying on developers? 19
- 23.
- 24.
- 25. OWASP Manifest v2 22 ContentSecurity Policy obligatory for UI pages no eval() no inline scripting no external scripts XSS exploitation very difficult Manifest v1 extensions slowly deprecating Jan 2014 - Chrome stops running them All fixed? script-src 'self'; object-src 'self'
- 26.
- 27. OWASP UI page XSS- new vectors eval() used in JS templating libraries mustachejs underscorejs jQuery template hoganjs ... Possible to relax CSP to allow unsafe-eval Some extensions use it 24
- 28. OWASP Content script XSS Content scripts not subject to CSP Go figure... 25
- 29.
- 30.
- 31.
- 32. OWASP Content script XSS XSS in http:// chrome-extension CSP bypass access to DOM access to cookies 27
- 33. OWASP As sexy asself XSS... 28
- 34. OWASP Content script XSS website CSP bypass “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions” http://developer.chrome.com/extensions/ content_scripts.html 29
- 35. OWASP Content script XSS website CSP bypass “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions” http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ]
- 36. OWASP Content script XSS website CSP bypass “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions” http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ] 40%
- 37. OWASP Content script XSS Introducing Mosquito (Another) Chrome Extension XSS Exploitation tool XSS-Proxy for the new era 30 http://www.growingherbsforbeginners.com/growing-herbs-for-mosquito-season/ https://github.com/koto/mosquito
- 38. OWASP Mosquito 31 XSS ws:// HTTP/S proxy inspired by MalaRIA by Erlend Oftedal and BeEF tunneling proxy by @antisnatchor x = new XMLHttpRequest(); x.open("GET", 'http://gmail.com', false); x.setRequestHeader('X-Mosquito', 'yeah!'); x.send(null); GET http://gmail.com HTTP/1.1 Host: gmail.com X-Mosquito: yeah!
- 39. OWASP DEMO TIME v1.0.3.3 https://chrome.google.com/webstore/detail/ anydo/kdadialhpiikehpdeejjeiikopddkjem 0.5 mln users found by Sergey Belov 32
- 40. OWASP NPAPI plugins vulnerabilities UI page gets the payload Forwards it to NPAPI plugin Binary vulnerability in plugin buffer overflow command injection ... Code run with OS user permission No sandbox! 33
- 41.
- 42.
- 43.
- 44.
- 45. OWASP NPAPI plugins vulnerabilities 35 FB::variantgmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4
- 46. OWASP NPAPI plugins vulnerabilities 35 FB::variantgmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/ Linux) hQIOA5iUCyMfX/ D2EAgAhikRs40xo05gNu9XSIO2jrjTI ShwfWK2d7+9xlv9UjDN ... -----END PGP MESSAGE-----
- 47. OWASP Bonus CSP bypassthrough filesystem: API Filesystem API - virtual filesystem for HTML app filesystem:http://example.com/file.png filesystem:chrome-extension://<id>/path.html Postman - REST client v 0.8.1 180K users including @webtonull 36
- 48. OWASP Summary Chrome extensionsv2 still XSSable CSP should be treated as mitigation, not prevention New tools for attack 37
- 49. OWASP EOF @kkotowicz http://blog.kotowicz.net https://github.com/koto More research: Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black Hat 2011) http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf http://kotowicz.net/bh2012/advanced-chrome-extension- exploitation-osborn-kotowicz.pdf Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec, @johnwilander, @garethheyes, @antisnatchor, @freddyb,@internot_, @pdjstone, .... 38