1. LET'S PWN A CHINESELET'S PWN A CHINESE
WEB BROWSER!WEB BROWSER!
DISOBEY 2019 — JUHO NURMINENDISOBEY 2019 — JUHO NURMINEN
2. DISCLAIMERSDISCLAIMERS
I'm not my employer. My opinions aren't necessarily theirs. They haven't contributed to this
workshop, do not endorse it, and should not be held responsible for any outcomes.
The browsers we're about to look at are literally "made in China". Install and run them at
your own responsibility. They may invade your privacy, they may install other unwanted
so ware, and they may be difficult to uninstall properly. Using a disposable VM is highly
recommended.
In fact, anything you do in this workshop is at your own responsibility. Even if I tell you to do
so. I don't have permission from any vendors and I Am Not A Lawyer.
Any vulnerabilities you find are yours to keep. I suggest reporting them to the vendor and/or
a CERT of your choice. I can help in finding the right contacts, but it's your call.
3. YOUR INSTRUCTORYOUR INSTRUCTOR
Web & mobile hacker — Specialist @ 2NS
Browser hacker — several CVEs in
Chrome, Firefox, Safari
Antivirus hacker — Disobey 2018
5. THE TARGETSTHE TARGETS
Platform Market share (StatCounter Oct 2018)
Windows macOS Linux Android iOS In China Globally
UC Browser
http://www.ucweb.com/
Yes No No Yes Yes 15.79 % 7.39 %
QQ Browser
https://browser.qq.com/ Yes Yes No Yes No 11 %; 0.27 %;
Sogou Explorer
https://ie.sogou.com/
Yes No No Yes Yes 2.05 % 0.06 %
http://www.maxthon.com/
Yes Yes Yes Yes Yes 0.56 % 0.05 %
https://browser.360.cn/
Yes No No Yes Yes 0.17 % 0.03 %
Baidu Browser
https://liulanqi.baidu.com/
Yes No No Yes Yes < 0.06 % < 0.1 %
6. INSTALLING MAXTHON ON KALIINSTALLING MAXTHON ON KALI
Additional packages: libcurl3 (conflicts with libcurl4),
libgcrypt11, libssl1.0.0
Running as root:
maxthon --user-data-dir=userdata --no-sandbox
19. ATTACK VECTORSATTACK VECTORS
Web content
Automatic updates
Extensions and built-in extra features
File downloads
Plugins: PDF, Flash, Java, ActiveX?
24. CHROME DEVTOOLS & F12CHROME DEVTOOLS & F12
DEVELOPER TOOLSDEVELOPER TOOLS
Launch from a menu item or press F12
Great for exploring the JavaScript environment
Debugger is handy, too
25. PORTSWIGGER'S RENDERINGPORTSWIGGER'S RENDERING
ENGINE HACKABILITY PROBEENGINE HACKABILITY PROBE
https://portswigger-labs.net/hackability/
"Rendering Engine Hackability Probe performs a
variety of tests to discover what the unknown
rendering engine supports."
Helps you quickly spot non-standard APIs
26. BADSSL.COM & SSLLABS.COMBADSSL.COM & SSLLABS.COM
Badssl.com: contains lots of subdomains that should
trigger an SSL error
SSL labs' client test: lists the ciphers and other
features your SSL client supports
27. PROCESS EXPLORER, NETSTAT,PROCESS EXPLORER, NETSTAT,
LSOF...LSOF...
The usual stuff for that can help you understand a
native app
Figure out what processes an app is launching, what
files it's accessing and who it's talking to
Is your browser running a TCP server? It probably
shouldn't
30. Architecture: Chrome with extras glued on top? Custom browser
with Blink?
Chrome version?
Custom features: What are there? How are they implemented?
Error messages: origin, exposed APIs, XCS
Browser-internal URI schemes
Restricted URI schemes
Framing settings pages, error messages?
Extensions: Are they supported? WebExtensions or something
else? Custom APIs?
APIs exposed to web (Hackability & external object)
Privileged web pages: Extension gallery? Sync and sharing
features?