SlideShare a Scribd company logo

Attacking Chrome Extensions: Exploiting Vulnerabilities and Bypassing Defenses

Krzysztof Kotowicz
Krzysztof Kotowicz

My OWASP AppSec Europe 2013 talk.

TechnologyDesign
1 of 49
Download to read offline
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org I'm in ur browser, pwning your stuff Attacking (with) Google Chrome extensions Krzysztof Kotowicz SecuRing kkotowicz@securing.pl
OWASP About me Security research client side security HTML5 UI redressing Chrome extensions Black Hat USA, BruCON, Hack in Paris, CONFidence, ... IT security consultant @ SecuRing web app, mobile pentests security code reviews 2
OWASP Plan 3 Chrome Extensions architecture Exploiting legacy (v1) extensions Manifest v2 fixes Exploiting v2 extensions "Break The Batman Part 3" by Eric Merced / Eric Merced aka stickfiguredancer
OWASP Chrome Extensions  Not plugins (Java, Flash, ...)  HTML5 applications  html, javascript, css Installed from Chrome Web Store  Access to privileged API  chrome.tabs  chrome.bookmarks  chrome.history  chrome.cookies 4
OWASP Chrome Extensions - components  UI pages  background page  option pages  extension UI Content scripts  run alongside website  interaction with websites 5
OWASP 6 Diagram by Wade Alcorn. Thanks!
OWASP Chrome Extensions - manifest Manifest lists permissions, UI pages, content scripts 7 { "manifest_version": 2, "name": "Sample Extension", "content_scripts": [ { "matches": ["http://www.google.com/*"], "js": ["jquery.js", "myscript.js"] } ], "background": { "page": "background.html" }, "permissions": [ "tabs", "bookmarks", "cookies" "http://*/*", "https://*/*", ] }
OWASP Chrome Extensions - restrictions 8 scheme websites chrome API UI page content script chrome- extension:// - ✔ limited by permissions http:// ✔ limited by URL -
OWASP Isolated worlds 9 DOM content script JS website JS
OWASP Exploiting v1 extensions 10
OWASP UI page DOM XSS  content-script takes data off website DOM  sends it to UI page  view fails to escape data upon viewing it  cross-zone DOM XSS 11
OWASP 12
OWASP 12
OWASP 12
OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
OWASP Exploiting UI page XSS  Chrome Extension Exploitation Framework  BEEF for Chrome extensions 14 https://github.com/koto/xsschef
OWASP XSS ChEF 15
OWASP XSS ChEF 16
OWASP XSS ChEF 17
OWASP XSS ChEF 18
OWASP Chrome extensions v1 summary  UI page XSS is very common  note taking  developer tools  RSS readers  Each XSS has big impact  How do you eradicate XSS without relying on developers? 19
OWASP 20
OWASP Manifest v2 fixes 21
OWASP Manifest v2 22  Content Security Policy obligatory for UI pages  no eval()  no inline scripting  no external scripts  XSS exploitation very difficult  Manifest v1 extensions slowly deprecating  Jan 2014 - Chrome stops running them  All fixed? script-src 'self'; object-src 'self'
OWASP Exploiting v2 extensions 23
OWASP UI page XSS - new vectors  eval() used in JS templating libraries  mustachejs  underscorejs  jQuery template  hoganjs  ...  Possible to relax CSP to allow unsafe-eval  Some extensions use it 24
OWASP Content script XSS  Content scripts not subject to CSP  Go figure... 25
OWASP 26
OWASP 26
OWASP 26
OWASP Content script XSS  XSS in http://  chrome-extension CSP bypass  access to DOM  access to cookies 27
OWASP As sexy as self XSS... 28
OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29
OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ]
OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ] 40%
OWASP Content script XSS  Introducing Mosquito  (Another) Chrome Extension XSS Exploitation tool  XSS-Proxy for the new era 30 http://www.growingherbsforbeginners.com/growing-herbs-for-mosquito-season/ https://github.com/koto/mosquito
OWASP Mosquito 31 XSS ws:// HTTP/S proxy  inspired by MalaRIA by Erlend Oftedal  and BeEF tunneling proxy by @antisnatchor x = new XMLHttpRequest(); x.open("GET", 'http://gmail.com', false); x.setRequestHeader('X-Mosquito', 'yeah!'); x.send(null); GET http://gmail.com HTTP/1.1 Host: gmail.com X-Mosquito: yeah!
OWASP DEMO TIME  v 1.0.3.3  https://chrome.google.com/webstore/detail/ anydo/kdadialhpiikehpdeejjeiikopddkjem  0.5 mln users  found by Sergey Belov 32
OWASP NPAPI plugins vulnerabilities  UI page gets the payload  Forwards it to NPAPI plugin  Binary vulnerability in plugin  buffer overflow  command injection  ...  Code run with OS user permission  No sandbox! 33
OWASP 34
OWASP 34
OWASP 34
OWASP 34
OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4
OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/ Linux) hQIOA5iUCyMfX/ D2EAgAhikRs40xo05gNu9XSIO2jrjTI ShwfWK2d7+9xlv9UjDN ... -----END PGP MESSAGE-----
OWASP Bonus  CSP bypass through filesystem: API  Filesystem API - virtual filesystem for HTML app  filesystem:http://example.com/file.png  filesystem:chrome-extension://<id>/path.html  Postman - REST client  v 0.8.1  180K users  including @webtonull 36
OWASP Summary  Chrome extensions v2 still XSSable  CSP should be treated as mitigation, not prevention  New tools for attack 37
OWASP EOF  @kkotowicz  http://blog.kotowicz.net  https://github.com/koto  More research:  Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black Hat 2011)  http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf  http://kotowicz.net/bh2012/advanced-chrome-extension- exploitation-osborn-kotowicz.pdf  Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec, @johnwilander, @garethheyes, @antisnatchor, @freddyb,@internot_, @pdjstone, .... 38

Recommended

REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Owasp top ten 2019
Owasp top ten 2019Owasp top ten 2019
Owasp top ten 2019Santiago Rodríguez Paniagua
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 

Recommended

REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Owasp top ten 2019
Owasp top ten 2019Owasp top ten 2019
Owasp top ten 2019Santiago Rodríguez Paniagua
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Database security
Database securityDatabase security
Database securityCAS
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rulesn|u - The Open Security Community
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Webinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme ThéméeWebinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme ThéméeMarie Tapia
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsDamien Magoni
 
Ateliers d’une application Web vulnérable
Ateliers d’une application Web vulnérable Ateliers d’une application Web vulnérable
Ateliers d’une application Web vulnérable Ayoub Rouzi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeBGA Cyber Security
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Conférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomConférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomFlorence Devouard
 

More Related Content

What's hot

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Database security
Database securityDatabase security
Database securityCAS
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Webinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme ThéméeWebinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme ThéméeMarie Tapia
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsDamien Magoni
 
Ateliers d’une application Web vulnérable
Ateliers d’une application Web vulnérable Ateliers d’une application Web vulnérable
Ateliers d’une application Web vulnérable Ayoub Rouzi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeBGA Cyber Security
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 

What's hot (20)

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Database security
Database securityDatabase security
Database security
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Webinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme ThéméeWebinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme Thémée
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Ateliers d’une application Web vulnérable
Ateliers d’une application Web vulnérable Ateliers d’une application Web vulnérable
Ateliers d’une application Web vulnérable
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful tools
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 

Viewers also liked

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Conférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomConférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomFlorence Devouard
 
Certificate of Completion
Certificate of CompletionCertificate of Completion
Certificate of CompletionDavid Lim
 
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)Dementia Friendly Japan Initiative
 
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...The Rockefeller Foundation
 
USA on the Web
USA on the WebUSA on the Web
USA on the Webron mader
 
2016 Veteran Insights Report
2016 Veteran Insights Report2016 Veteran Insights Report
2016 Veteran Insights ReportLinkedIn for Good
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
NV kunstenaar Jan De Cock in de financiële problemen
NV kunstenaar Jan De Cock in de financiële problemenNV kunstenaar Jan De Cock in de financiële problemen
NV kunstenaar Jan De Cock in de financiële problemenThierry Debels
 
Church. Got an app for that?
Church. Got an app for that?Church. Got an app for that?
Church. Got an app for that?ASDSVV
 
Symbiosis international university
Symbiosis international universitySymbiosis international university
Symbiosis international universityyunus khan
 
PrivateWave - sales presentation_en
PrivateWave - sales presentation_enPrivateWave - sales presentation_en
PrivateWave - sales presentation_enMarco Pissarello
 
Greythorn Market Insights - February 2013
Greythorn Market Insights - February 2013Greythorn Market Insights - February 2013
Greythorn Market Insights - February 2013GreythornAU
 
Grafico diario del dax perfomance index para el 12 12-2012
Grafico diario del dax perfomance index para el 12 12-2012Grafico diario del dax perfomance index para el 12 12-2012
Grafico diario del dax perfomance index para el 12 12-2012Experiencia Trading
 
Jane's Pick of 10 Learning Tools for SchoolNetSA
Jane's Pick of 10 Learning Tools for SchoolNetSAJane's Pick of 10 Learning Tools for SchoolNetSA
Jane's Pick of 10 Learning Tools for SchoolNetSAJane Hart
 

Viewers also liked (20)

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Conférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomConférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'Eracom
 
Certificate of Completion
Certificate of CompletionCertificate of Completion
Certificate of Completion
 
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
 
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
 
USA on the Web
USA on the WebUSA on the Web
USA on the Web
 
2016 Veteran Insights Report
2016 Veteran Insights Report2016 Veteran Insights Report
2016 Veteran Insights Report
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
NV kunstenaar Jan De Cock in de financiële problemen
NV kunstenaar Jan De Cock in de financiële problemenNV kunstenaar Jan De Cock in de financiële problemen
NV kunstenaar Jan De Cock in de financiële problemen
 
Publish
PublishPublish
Publish
 
Church. Got an app for that?
Church. Got an app for that?Church. Got an app for that?
Church. Got an app for that?
 
My social representation
My social representationMy social representation
My social representation
 
Symbiosis international university
Symbiosis international universitySymbiosis international university
Symbiosis international university
 
Kunst, økonomi, kreativ kapitalisme
Kunst, økonomi, kreativ kapitalismeKunst, økonomi, kreativ kapitalisme
Kunst, økonomi, kreativ kapitalisme
 
PrivateWave - sales presentation_en
PrivateWave - sales presentation_enPrivateWave - sales presentation_en
PrivateWave - sales presentation_en
 
Greythorn Market Insights - February 2013
Greythorn Market Insights - February 2013Greythorn Market Insights - February 2013
Greythorn Market Insights - February 2013
 
Grafico diario del dax perfomance index para el 12 12-2012
Grafico diario del dax perfomance index para el 12 12-2012Grafico diario del dax perfomance index para el 12 12-2012
Grafico diario del dax perfomance index para el 12 12-2012
 
Jane's Pick of 10 Learning Tools for SchoolNetSA
Jane's Pick of 10 Learning Tools for SchoolNetSAJane's Pick of 10 Learning Tools for SchoolNetSA
Jane's Pick of 10 Learning Tools for SchoolNetSA
 

Similar to Attacking Chrome Extensions: Exploiting Vulnerabilities and Bypassing Defenses

Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxrichardnorman90310
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detectorguest31a5be
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing MsdAung Khant
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...cresco
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 

Similar to Attacking Chrome Extensions: Exploiting Vulnerabilities and Bypassing Defenses (20)

Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
4.Xss
4.Xss4.Xss
4.Xss
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detector
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
 
Antiviruxss
AntiviruxssAntiviruxss
Antiviruxss
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 

More from Krzysztof Kotowicz

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffKrzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comesKrzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptKrzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Krzysztof Kotowicz
 

More from Krzysztof Kotowicz (15)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Attacking Chrome Extensions: Exploiting Vulnerabilities and Bypassing Defenses

  • 1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org I'm in ur browser, pwning your stuff Attacking (with) Google Chrome extensions Krzysztof Kotowicz SecuRing kkotowicz@securing.pl
  • 2. OWASP About me Security research client side security HTML5 UI redressing Chrome extensions Black Hat USA, BruCON, Hack in Paris, CONFidence, ... IT security consultant @ SecuRing web app, mobile pentests security code reviews 2
  • 3. OWASP Plan 3 Chrome Extensions architecture Exploiting legacy (v1) extensions Manifest v2 fixes Exploiting v2 extensions "Break The Batman Part 3" by Eric Merced / Eric Merced aka stickfiguredancer
  • 4. OWASP Chrome Extensions  Not plugins (Java, Flash, ...)  HTML5 applications  html, javascript, css Installed from Chrome Web Store  Access to privileged API  chrome.tabs  chrome.bookmarks  chrome.history  chrome.cookies 4
  • 5. OWASP Chrome Extensions - components  UI pages  background page  option pages  extension UI Content scripts  run alongside website  interaction with websites 5
  • 6. OWASP 6 Diagram by Wade Alcorn. Thanks!
  • 7. OWASP Chrome Extensions - manifest Manifest lists permissions, UI pages, content scripts 7 { "manifest_version": 2, "name": "Sample Extension", "content_scripts": [ { "matches": ["http://www.google.com/*"], "js": ["jquery.js", "myscript.js"] } ], "background": { "page": "background.html" }, "permissions": [ "tabs", "bookmarks", "cookies" "http://*/*", "https://*/*", ] }
  • 8. OWASP Chrome Extensions - restrictions 8 scheme websites chrome API UI page content script chrome- extension:// - ✔ limited by permissions http:// ✔ limited by URL -
  • 11. OWASP UI page DOM XSS  content-script takes data off website DOM  sends it to UI page  view fails to escape data upon viewing it  cross-zone DOM XSS 11
  • 15. OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
  • 16. OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
  • 17. OWASP Exploiting UI page XSS  Chrome Extension Exploitation Framework  BEEF for Chrome extensions 14 https://github.com/koto/xsschef
  • 22. OWASP Chrome extensions v1 summary  UI page XSS is very common  note taking  developer tools  RSS readers  Each XSS has big impact  How do you eradicate XSS without relying on developers? 19
  • 25. OWASP Manifest v2 22  Content Security Policy obligatory for UI pages  no eval()  no inline scripting  no external scripts  XSS exploitation very difficult  Manifest v1 extensions slowly deprecating  Jan 2014 - Chrome stops running them  All fixed? script-src 'self'; object-src 'self'
  • 27. OWASP UI page XSS - new vectors  eval() used in JS templating libraries  mustachejs  underscorejs  jQuery template  hoganjs  ...  Possible to relax CSP to allow unsafe-eval  Some extensions use it 24
  • 28. OWASP Content script XSS  Content scripts not subject to CSP  Go figure... 25
  • 32. OWASP Content script XSS  XSS in http://  chrome-extension CSP bypass  access to DOM  access to cookies 27
  • 33. OWASP As sexy as self XSS... 28
  • 34. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29
  • 35. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ]
  • 36. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ] 40%
  • 37. OWASP Content script XSS  Introducing Mosquito  (Another) Chrome Extension XSS Exploitation tool  XSS-Proxy for the new era 30 http://www.growingherbsforbeginners.com/growing-herbs-for-mosquito-season/ https://github.com/koto/mosquito
  • 38. OWASP Mosquito 31 XSS ws:// HTTP/S proxy  inspired by MalaRIA by Erlend Oftedal  and BeEF tunneling proxy by @antisnatchor x = new XMLHttpRequest(); x.open("GET", 'http://gmail.com', false); x.setRequestHeader('X-Mosquito', 'yeah!'); x.send(null); GET http://gmail.com HTTP/1.1 Host: gmail.com X-Mosquito: yeah!
  • 39. OWASP DEMO TIME  v 1.0.3.3  https://chrome.google.com/webstore/detail/ anydo/kdadialhpiikehpdeejjeiikopddkjem  0.5 mln users  found by Sergey Belov 32
  • 40. OWASP NPAPI plugins vulnerabilities  UI page gets the payload  Forwards it to NPAPI plugin  Binary vulnerability in plugin  buffer overflow  command injection  ...  Code run with OS user permission  No sandbox! 33
  • 45. OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4
  • 46. OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/ Linux) hQIOA5iUCyMfX/ D2EAgAhikRs40xo05gNu9XSIO2jrjTI ShwfWK2d7+9xlv9UjDN ... -----END PGP MESSAGE-----
  • 47. OWASP Bonus  CSP bypass through filesystem: API  Filesystem API - virtual filesystem for HTML app  filesystem:http://example.com/file.png  filesystem:chrome-extension://<id>/path.html  Postman - REST client  v 0.8.1  180K users  including @webtonull 36
  • 48. OWASP Summary  Chrome extensions v2 still XSSable  CSP should be treated as mitigation, not prevention  New tools for attack 37
  • 49. OWASP EOF  @kkotowicz  http://blog.kotowicz.net  https://github.com/koto  More research:  Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black Hat 2011)  http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf  http://kotowicz.net/bh2012/advanced-chrome-extension- exploitation-osborn-kotowicz.pdf  Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec, @johnwilander, @garethheyes, @antisnatchor, @freddyb,@internot_, @pdjstone, .... 38