I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
6 likes9,785 views
This document discusses attacking Chrome extensions through exploiting vulnerabilities in their architecture and code. It begins by explaining the components and permissions model of Chrome extensions. It then describes how to exploit vulnerabilities like DOM XSS in extensions' UI pages under the legacy v1 model. The document outlines fixes made in the v2 model but still finds ways to bypass security restrictions, such as through content script XSS. It introduces tools like XSSChEF and Mosquito for exploiting extensions. The presentation concludes by noting CSP should only be seen as a mitigation rather than prevention for extension vulnerabilities.
![OWASP
Chrome Extensions - manifest
Manifest lists permissions, UI pages, content scripts
7
{
"manifest_version": 2,
"name": "Sample Extension",
"content_scripts": [
{
"matches": ["http://www.google.com/*"],
"js": ["jquery.js", "myscript.js"]
}
],
"background": {
"page": "background.html"
},
"permissions": [
"tabs",
"bookmarks",
"cookies"
"http://*/*",
"https://*/*",
]
}](https://image.slidesharecdn.com/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01/85/I-m-in-ur-browser-pwning-your-stuff-Attacking-with-Google-Chrome-Extensions-7-320.jpg)
![OWASP
Content script XSS
website CSP bypass
“Content scripts can also make cross-site
XMLHttpRequests to the same sites as their parent
extensions”
http://developer.chrome.com/extensions/
content_scripts.html
29
"permissions": [
"http://*/*",
"https://*/*",
]](https://image.slidesharecdn.com/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01/85/I-m-in-ur-browser-pwning-your-stuff-Attacking-with-Google-Chrome-Extensions-35-320.jpg)
![OWASP
Content script XSS
website CSP bypass
“Content scripts can also make cross-site
XMLHttpRequests to the same sites as their parent
extensions”
http://developer.chrome.com/extensions/
content_scripts.html
29
"permissions": [
"http://*/*",
"https://*/*",
]
40%](https://image.slidesharecdn.com/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01/85/I-m-in-ur-browser-pwning-your-stuff-Attacking-with-Google-Chrome-Extensions-36-320.jpg)
![OWASP
EOF
@kkotowicz
http://blog.kotowicz.net
https://github.com/koto
More research:
Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black
Hat 2011)
http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf
http://kotowicz.net/bh2012/advanced-chrome-extension-
exploitation-osborn-kotowicz.pdf
Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec,
@johnwilander, @garethheyes, @antisnatchor,
@freddyb,@internot_, @pdjstone, ....
38](https://image.slidesharecdn.com/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01/85/I-m-in-ur-browser-pwning-your-stuff-Attacking-with-Google-Chrome-Extensions-49-320.jpg)
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
- 1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org I'm in ur browser, pwning your stuff Attacking (with) Google Chrome extensions Krzysztof Kotowicz SecuRing [email protected]
- 2. OWASP About me Security research client side security HTML5 UI redressing Chrome extensions Black Hat USA, BruCON, Hack in Paris, CONFidence, ... IT security consultant @ SecuRing web app, mobile pentests security code reviews 2
- 3. OWASP Plan 3 Chrome Extensions architecture Exploiting legacy (v1) extensions Manifest v2 fixes Exploiting v2 extensions "Break The Batman Part 3" by Eric Merced / Eric Merced aka stickfiguredancer
- 4. OWASP Chrome Extensions Not plugins (Java, Flash, ...) HTML5 applications html, javascript, css Installed from Chrome Web Store Access to privileged API chrome.tabs chrome.bookmarks chrome.history chrome.cookies 4
- 5. OWASP Chrome Extensions - components UI pages background page option pages extension UI Content scripts run alongside website interaction with websites 5
- 6. OWASP 6 Diagram by Wade Alcorn. Thanks!
- 7. OWASP Chrome Extensions - manifest Manifest lists permissions, UI pages, content scripts 7 { "manifest_version": 2, "name": "Sample Extension", "content_scripts": [ { "matches": ["http://www.google.com/*"], "js": ["jquery.js", "myscript.js"] } ], "background": { "page": "background.html" }, "permissions": [ "tabs", "bookmarks", "cookies" "http://*/*", "https://*/*", ] }
- 8. OWASP Chrome Extensions - restrictions 8 scheme websites chrome API UI page content script chrome- extension:// - ✔ limited by permissions http:// ✔ limited by URL -
- 11. OWASP UI page DOM XSS content-script takes data off website DOM sends it to UI page view fails to escape data upon viewing it cross-zone DOM XSS 11
- 12. OWASP 12
- 13. OWASP 12
- 14. OWASP 12
- 15. OWASP UI page DOM XSS Consequences XSS in chrome-extension:// access to chrome.* API 13 Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
- 16. OWASP UI page DOM XSS Consequences XSS in chrome-extension:// access to chrome.* API 13 <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
- 17. OWASP Exploiting UI page XSS Chrome Extension Exploitation Framework BEEF for Chrome extensions 14 https://github.com/koto/xsschef
- 22. OWASP Chrome extensions v1 summary UI page XSS is very common note taking developer tools RSS readers Each XSS has big impact How do you eradicate XSS without relying on developers? 19
- 23. OWASP 20
- 25. OWASP Manifest v2 22 Content Security Policy obligatory for UI pages no eval() no inline scripting no external scripts XSS exploitation very difficult Manifest v1 extensions slowly deprecating Jan 2014 - Chrome stops running them All fixed? script-src 'self'; object-src 'self'
- 27. OWASP UI page XSS - new vectors eval() used in JS templating libraries mustachejs underscorejs jQuery template hoganjs ... Possible to relax CSP to allow unsafe-eval Some extensions use it 24
- 28. OWASP Content script XSS Content scripts not subject to CSP Go figure... 25
- 29. OWASP 26
- 30. OWASP 26
- 31. OWASP 26
- 32. OWASP Content script XSS XSS in http:// chrome-extension CSP bypass access to DOM access to cookies 27
- 33. OWASP As sexy as self XSS... 28
- 34. OWASP Content script XSS website CSP bypass “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions” http://developer.chrome.com/extensions/ content_scripts.html 29
- 35. OWASP Content script XSS website CSP bypass “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions” http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ]
- 36. OWASP Content script XSS website CSP bypass “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions” http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ] 40%
- 37. OWASP Content script XSS Introducing Mosquito (Another) Chrome Extension XSS Exploitation tool XSS-Proxy for the new era 30 http://www.growingherbsforbeginners.com/growing-herbs-for-mosquito-season/ https://github.com/koto/mosquito
- 38. OWASP Mosquito 31 XSS ws:// HTTP/S proxy inspired by MalaRIA by Erlend Oftedal and BeEF tunneling proxy by @antisnatchor x = new XMLHttpRequest(); x.open("GET", 'http://gmail.com', false); x.setRequestHeader('X-Mosquito', 'yeah!'); x.send(null); GET http://gmail.com HTTP/1.1 Host: gmail.com X-Mosquito: yeah!
- 39. OWASP DEMO TIME v 1.0.3.3 https://chrome.google.com/webstore/detail/ anydo/kdadialhpiikehpdeejjeiikopddkjem 0.5 mln users found by Sergey Belov 32
- 40. OWASP NPAPI plugins vulnerabilities UI page gets the payload Forwards it to NPAPI plugin Binary vulnerability in plugin buffer overflow command injection ... Code run with OS user permission No sandbox! 33
- 41. OWASP 34
- 42. OWASP 34
- 43. OWASP 34
- 44. OWASP 34
- 45. OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4
- 46. OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/ Linux) hQIOA5iUCyMfX/ D2EAgAhikRs40xo05gNu9XSIO2jrjTI ShwfWK2d7+9xlv9UjDN ... -----END PGP MESSAGE-----
- 47. OWASP Bonus CSP bypass through filesystem: API Filesystem API - virtual filesystem for HTML app filesystem:http://example.com/file.png filesystem:chrome-extension://<id>/path.html Postman - REST client v 0.8.1 180K users including @webtonull 36
- 48. OWASP Summary Chrome extensions v2 still XSSable CSP should be treated as mitigation, not prevention New tools for attack 37
- 49. OWASP EOF @kkotowicz http://blog.kotowicz.net https://github.com/koto More research: Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black Hat 2011) http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf http://kotowicz.net/bh2012/advanced-chrome-extension- exploitation-osborn-kotowicz.pdf Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec, @johnwilander, @garethheyes, @antisnatchor, @freddyb,@internot_, @pdjstone, .... 38