SlideShare a Scribd company logo

Let's pwn a chinese web browser!

J
Juho Nurminen

Workshop held at Disobey 2019

Technology
1 of 30
Download to read offline
LET'S PWN A CHINESELET'S PWN A CHINESE WEB BROWSER!WEB BROWSER! DISOBEY 2019 — JUHO NURMINENDISOBEY 2019 — JUHO NURMINEN
DISCLAIMERSDISCLAIMERS I'm not my employer. My opinions aren't necessarily theirs. They haven't contributed to this workshop, do not endorse it, and should not be held responsible for any outcomes. The browsers we're about to look at are literally "made in China". Install and run them at your own responsibility. They may invade your privacy, they may install other unwanted so ware, and they may be difficult to uninstall properly. Using a disposable VM is highly recommended. In fact, anything you do in this workshop is at your own responsibility. Even if I tell you to do so. I don't have permission from any vendors and I Am Not A Lawyer. Any vulnerabilities you find are yours to keep. I suggest reporting them to the vendor and/or a CERT of your choice. I can help in finding the right contacts, but it's your call.
YOUR INSTRUCTORYOUR INSTRUCTOR Web & mobile hacker — Specialist @ 2NS Browser hacker — several CVEs in Chrome, Firefox, Safari Antivirus hacker — Disobey 2018
CHINESE WEBCHINESE WEB BROWSERS?BROWSERS?
THE TARGETSTHE TARGETS Platform Market share     (StatCounter Oct 2018) Windows macOS Linux Android iOS In China Globally UC Browser http://www.ucweb.com/ Yes No No Yes Yes 15.79 % 7.39 % QQ Browser https://browser.qq.com/ Yes Yes No Yes No 11 %; 0.27 %; Sogou Explorer https://ie.sogou.com/ Yes No No Yes Yes 2.05 % 0.06 % http://www.maxthon.com/ Yes Yes Yes Yes Yes 0.56 % 0.05 % https://browser.360.cn/ Yes No No Yes Yes 0.17 % 0.03 % Baidu Browser https://liulanqi.baidu.com/ Yes No No Yes Yes < 0.06 % < 0.1 %
INSTALLING MAXTHON ON KALIINSTALLING MAXTHON ON KALI Additional packages: libcurl3 (conflicts with libcurl4), libgcrypt11, libssl1.0.0 Running as root: maxthon --user-data-dir=userdata --no-sandbox
BROWSER ARCHITECTUREBROWSER ARCHITECTURE
IE LOGICAL COMPONENTSIE LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
CHROME LOGICAL COMPONENTSCHROME LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
CHROME + IE = ???CHROME + IE = ??? (yours truly & mspaint)
SECURITY CONCEPTSSECURITY CONCEPTS
COMPARTMENTALIZATIONCOMPARTMENTALIZATION Web content: Same-Origin Policy & Site Isolation Extensions: Isolated Worlds & Privilege Separation OS/Browser: Privilege Separation, Sandboxing & Hardening
ENCRYPTIONENCRYPTION Regular web traffic External resources in internal UI Sharing, sync, safe browsing & other APIs Automatic updates
PORT BANNINGPORT BANNING Protects against Inter-Protocol Exploitation IE: 19, 21, 25, 110, 119, 143, 220, 993 Chrome: 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 37, 42, 43, 53, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 115, 117, 119, 123, 135, 139, 143, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 3659, 4045, 6000, 6665, 6666, 6667, 6668, 6669, 6697
SAFE BROWSING, SMARTSCREENSAFE BROWSING, SMARTSCREEN & BLACKLISTING& BLACKLISTING Blacklisting and reputation based mechanisms protect agains malware & phishing Malicious & compromised websites Executable and other potentially harmful file types
VULNERABILITIES ANDVULNERABILITIES AND EXPLOITSEXPLOITS
ATTACK VECTORSATTACK VECTORS Web content Automatic updates Extensions and built-in extra features File downloads Plugins: PDF, Flash, Java, ActiveX?
SOP BYPASSESSOP BYPASSES Leaky APIs Universal XSS Code execution inside renderer sandbox Accessing privileged APIs via XCS
CROSS-CONTEXT SCRIPTINGCROSS-CONTEXT SCRIPTING XSS in a privileged context Access to privileged APIs Additional attack surfaces, pivoting deeper O en leads to RCE
CONTEXT ISOLATION ISSUESCONTEXT ISOLATION ISSUES Missing context isolation Logic running in wrong contexts Unsafe cross-context messaging Overwriting properties on shared objects Variable clobbering
TOOLSTOOLS
CHROME DEVTOOLS & F12CHROME DEVTOOLS & F12 DEVELOPER TOOLSDEVELOPER TOOLS Launch from a menu item or press F12 Great for exploring the JavaScript environment Debugger is handy, too
PORTSWIGGER'S RENDERINGPORTSWIGGER'S RENDERING ENGINE HACKABILITY PROBEENGINE HACKABILITY PROBE https://portswigger-labs.net/hackability/ "Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports." Helps you quickly spot non-standard APIs
BADSSL.COM & SSLLABS.COMBADSSL.COM & SSLLABS.COM Badssl.com: contains lots of subdomains that should trigger an SSL error SSL labs' client test: lists the ciphers and other features your SSL client supports
PROCESS EXPLORER, NETSTAT,PROCESS EXPLORER, NETSTAT, LSOF...LSOF... The usual stuff for that can help you understand a native app Figure out what processes an app is launching, what files it's accessing and who it's talking to Is your browser running a TCP server? It probably shouldn't
MITM PROXY APPS & PACKETMITM PROXY APPS & PACKET SNIFFERSSNIFFERS Burp Suite, OWASP ZAP, Fiddler, mitmproxy Wireshark, tcpdump Pick your poison
LET'S GET HACKING!LET'S GET HACKING!
Architecture: Chrome with extras glued on top? Custom browser with Blink? Chrome version? Custom features: What are there? How are they implemented? Error messages: origin, exposed APIs, XCS Browser-internal URI schemes Restricted URI schemes Framing settings pages, error messages? Extensions: Are they supported? WebExtensions or something else? Custom APIs? APIs exposed to web (Hackability & external object) Privileged web pages: Extension gallery? Sync and sharing features?

Recommended

Introduction to Backups and Security
Introduction to Backups and SecurityIntroduction to Backups and Security
Introduction to Backups and SecuritySuzette Franck
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksRaghu Addanki
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
2010 A Net Odyssey
2010 A Net Odyssey2010 A Net Odyssey
2010 A Net OdysseySaumil Shah
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 

Recommended

Introduction to Backups and Security
Introduction to Backups and SecurityIntroduction to Backups and Security
Introduction to Backups and SecuritySuzette Franck
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksRaghu Addanki
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
2010 A Net Odyssey
2010 A Net Odyssey2010 A Net Odyssey
2010 A Net OdysseySaumil Shah
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Xamarin security talk slideshare
Xamarin security talk slideshareXamarin security talk slideshare
Xamarin security talk slideshareMarcus de Wilde
 
Security Testing
Security TestingSecurity Testing
Security TestingBJ Edward Taduran
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONPALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONOnwubiko Emmanuel
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaMarko Heijnen
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
avast 7.0.1474 license key
avast 7.0.1474 license keyavast 7.0.1474 license key
avast 7.0.1474 license keyHayWhitfield72
 
Attention Required! | CloudFlare
Attention Required! | CloudFlareAttention Required! | CloudFlare
Attention Required! | CloudFlareenthusiasticmys84
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxAbdulrahman Bassam
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesIMMUNIO
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Michele Butcher-Jones
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
Defense In Depth With AOP
Defense In Depth With AOPDefense In Depth With AOP
Defense In Depth With AOPnerdybeardo
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterAvi Sharma
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applicationsSupreme O
 

More Related Content

What's hot

Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Xamarin security talk slideshare
Xamarin security talk slideshareXamarin security talk slideshare
Xamarin security talk slideshareMarcus de Wilde
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONPALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONOnwubiko Emmanuel
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaMarko Heijnen
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
avast 7.0.1474 license key
avast 7.0.1474 license keyavast 7.0.1474 license key
avast 7.0.1474 license keyHayWhitfield72
 
Attention Required! | CloudFlare
Attention Required! | CloudFlareAttention Required! | CloudFlare
Attention Required! | CloudFlareenthusiasticmys84
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxAbdulrahman Bassam
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesIMMUNIO
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Michele Butcher-Jones
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
Defense In Depth With AOP
Defense In Depth With AOPDefense In Depth With AOP
Defense In Depth With AOPnerdybeardo
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 

What's hot (19)

Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
Xamarin security talk slideshare
Xamarin security talk slideshareXamarin security talk slideshare
Xamarin security talk slideshare
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONPALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATION
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp Sofia
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen Lombardo
 
avast 7.0.1474 license key
avast 7.0.1474 license keyavast 7.0.1474 license key
avast 7.0.1474 license key
 
Attention Required! | CloudFlare
Attention Required! | CloudFlareAttention Required! | CloudFlare
Attention Required! | CloudFlare
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from within
 
Reversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upxReversing & malware analysis training part 7 unpacking upx
Reversing & malware analysis training part 7 unpacking upx
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
 
Defense In Depth With AOP
Defense In Depth With AOPDefense In Depth With AOP
Defense In Depth With AOP
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 

Similar to Let's pwn a chinese web browser!

Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterAvi Sharma
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applicationsSupreme O
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfprithaaash
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?André Goliath
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud MigrationVMware Tanzu
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...André Goliath
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...Product School
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Odi 12c-getstart-vm-install-guide-2401840
Odi 12c-getstart-vm-install-guide-2401840Odi 12c-getstart-vm-install-guide-2401840
Odi 12c-getstart-vm-install-guide-2401840Udaykumar Sarana
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10eshwar83
 

Similar to Let's pwn a chinese web browser! (20)

Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applications
 
jfx
jfxjfx
jfx
 
nullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systemsnullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systems
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdf
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
App locker
App lockerApp locker
App locker
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
nullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemnullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric System
 
Odi 12c-getstart-vm-install-guide-2401840
Odi 12c-getstart-vm-install-guide-2401840Odi 12c-getstart-vm-install-guide-2401840
Odi 12c-getstart-vm-install-guide-2401840
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Let's pwn a chinese web browser!

  • 1. LET'S PWN A CHINESELET'S PWN A CHINESE WEB BROWSER!WEB BROWSER! DISOBEY 2019 — JUHO NURMINENDISOBEY 2019 — JUHO NURMINEN
  • 2. DISCLAIMERSDISCLAIMERS I'm not my employer. My opinions aren't necessarily theirs. They haven't contributed to this workshop, do not endorse it, and should not be held responsible for any outcomes. The browsers we're about to look at are literally "made in China". Install and run them at your own responsibility. They may invade your privacy, they may install other unwanted so ware, and they may be difficult to uninstall properly. Using a disposable VM is highly recommended. In fact, anything you do in this workshop is at your own responsibility. Even if I tell you to do so. I don't have permission from any vendors and I Am Not A Lawyer. Any vulnerabilities you find are yours to keep. I suggest reporting them to the vendor and/or a CERT of your choice. I can help in finding the right contacts, but it's your call.
  • 3. YOUR INSTRUCTORYOUR INSTRUCTOR Web & mobile hacker — Specialist @ 2NS Browser hacker — several CVEs in Chrome, Firefox, Safari Antivirus hacker — Disobey 2018
  • 5. THE TARGETSTHE TARGETS Platform Market share     (StatCounter Oct 2018) Windows macOS Linux Android iOS In China Globally UC Browser http://www.ucweb.com/ Yes No No Yes Yes 15.79 % 7.39 % QQ Browser https://browser.qq.com/ Yes Yes No Yes No 11 %; 0.27 %; Sogou Explorer https://ie.sogou.com/ Yes No No Yes Yes 2.05 % 0.06 % http://www.maxthon.com/ Yes Yes Yes Yes Yes 0.56 % 0.05 % https://browser.360.cn/ Yes No No Yes Yes 0.17 % 0.03 % Baidu Browser https://liulanqi.baidu.com/ Yes No No Yes Yes < 0.06 % < 0.1 %
  • 6. INSTALLING MAXTHON ON KALIINSTALLING MAXTHON ON KALI Additional packages: libcurl3 (conflicts with libcurl4), libgcrypt11, libssl1.0.0 Running as root: maxthon --user-data-dir=userdata --no-sandbox
  • 7.
  • 8.
  • 10. IE LOGICAL COMPONENTSIE LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
  • 11. CHROME LOGICAL COMPONENTSCHROME LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
  • 12. CHROME + IE = ???CHROME + IE = ??? (yours truly & mspaint)
  • 14. COMPARTMENTALIZATIONCOMPARTMENTALIZATION Web content: Same-Origin Policy & Site Isolation Extensions: Isolated Worlds & Privilege Separation OS/Browser: Privilege Separation, Sandboxing & Hardening
  • 15. ENCRYPTIONENCRYPTION Regular web traffic External resources in internal UI Sharing, sync, safe browsing & other APIs Automatic updates
  • 16. PORT BANNINGPORT BANNING Protects against Inter-Protocol Exploitation IE: 19, 21, 25, 110, 119, 143, 220, 993 Chrome: 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 37, 42, 43, 53, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 115, 117, 119, 123, 135, 139, 143, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 3659, 4045, 6000, 6665, 6666, 6667, 6668, 6669, 6697
  • 17. SAFE BROWSING, SMARTSCREENSAFE BROWSING, SMARTSCREEN & BLACKLISTING& BLACKLISTING Blacklisting and reputation based mechanisms protect agains malware & phishing Malicious & compromised websites Executable and other potentially harmful file types
  • 19. ATTACK VECTORSATTACK VECTORS Web content Automatic updates Extensions and built-in extra features File downloads Plugins: PDF, Flash, Java, ActiveX?
  • 20. SOP BYPASSESSOP BYPASSES Leaky APIs Universal XSS Code execution inside renderer sandbox Accessing privileged APIs via XCS
  • 21. CROSS-CONTEXT SCRIPTINGCROSS-CONTEXT SCRIPTING XSS in a privileged context Access to privileged APIs Additional attack surfaces, pivoting deeper O en leads to RCE
  • 22. CONTEXT ISOLATION ISSUESCONTEXT ISOLATION ISSUES Missing context isolation Logic running in wrong contexts Unsafe cross-context messaging Overwriting properties on shared objects Variable clobbering
  • 24. CHROME DEVTOOLS & F12CHROME DEVTOOLS & F12 DEVELOPER TOOLSDEVELOPER TOOLS Launch from a menu item or press F12 Great for exploring the JavaScript environment Debugger is handy, too
  • 25. PORTSWIGGER'S RENDERINGPORTSWIGGER'S RENDERING ENGINE HACKABILITY PROBEENGINE HACKABILITY PROBE https://portswigger-labs.net/hackability/ "Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports." Helps you quickly spot non-standard APIs
  • 26. BADSSL.COM & SSLLABS.COMBADSSL.COM & SSLLABS.COM Badssl.com: contains lots of subdomains that should trigger an SSL error SSL labs' client test: lists the ciphers and other features your SSL client supports
  • 27. PROCESS EXPLORER, NETSTAT,PROCESS EXPLORER, NETSTAT, LSOF...LSOF... The usual stuff for that can help you understand a native app Figure out what processes an app is launching, what files it's accessing and who it's talking to Is your browser running a TCP server? It probably shouldn't
  • 28. MITM PROXY APPS & PACKETMITM PROXY APPS & PACKET SNIFFERSSNIFFERS Burp Suite, OWASP ZAP, Fiddler, mitmproxy Wireshark, tcpdump Pick your poison
  • 29. LET'S GET HACKING!LET'S GET HACKING!
  • 30. Architecture: Chrome with extras glued on top? Custom browser with Blink? Chrome version? Custom features: What are there? How are they implemented? Error messages: origin, exposed APIs, XCS Browser-internal URI schemes Restricted URI schemes Framing settings pages, error messages? Extensions: Are they supported? WebExtensions or something else? Custom APIs? APIs exposed to web (Hackability & external object) Privileged web pages: Extension gallery? Sync and sharing features?