SlideShare a Scribd company logo

Attacking Chrome Extensions: Exploiting Vulnerabilities and Bypassing Defenses

Krzysztof Kotowicz
Krzysztof Kotowicz

My OWASP AppSec Europe 2013 talk.

TechnologyDesign
1 of 49
Download to read offline
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org I'm in ur browser, pwning your stuff Attacking (with) Google Chrome extensions Krzysztof Kotowicz SecuRing kkotowicz@securing.pl
OWASP About me Security research client side security HTML5 UI redressing Chrome extensions Black Hat USA, BruCON, Hack in Paris, CONFidence, ... IT security consultant @ SecuRing web app, mobile pentests security code reviews 2
OWASP Plan 3 Chrome Extensions architecture Exploiting legacy (v1) extensions Manifest v2 fixes Exploiting v2 extensions "Break The Batman Part 3" by Eric Merced / Eric Merced aka stickfiguredancer
OWASP Chrome Extensions  Not plugins (Java, Flash, ...)  HTML5 applications  html, javascript, css Installed from Chrome Web Store  Access to privileged API  chrome.tabs  chrome.bookmarks  chrome.history  chrome.cookies 4
OWASP Chrome Extensions - components  UI pages  background page  option pages  extension UI Content scripts  run alongside website  interaction with websites 5
OWASP 6 Diagram by Wade Alcorn. Thanks!
OWASP Chrome Extensions - manifest Manifest lists permissions, UI pages, content scripts 7 { "manifest_version": 2, "name": "Sample Extension", "content_scripts": [ { "matches": ["http://www.google.com/*"], "js": ["jquery.js", "myscript.js"] } ], "background": { "page": "background.html" }, "permissions": [ "tabs", "bookmarks", "cookies" "http://*/*", "https://*/*", ] }
OWASP Chrome Extensions - restrictions 8 scheme websites chrome API UI page content script chrome- extension:// - ✔ limited by permissions http:// ✔ limited by URL -
OWASP Isolated worlds 9 DOM content script JS website JS
OWASP Exploiting v1 extensions 10
OWASP UI page DOM XSS  content-script takes data off website DOM  sends it to UI page  view fails to escape data upon viewing it  cross-zone DOM XSS 11
OWASP 12
OWASP 12
OWASP 12
OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
OWASP Exploiting UI page XSS  Chrome Extension Exploitation Framework  BEEF for Chrome extensions 14 https://github.com/koto/xsschef
OWASP XSS ChEF 15
OWASP XSS ChEF 16
OWASP XSS ChEF 17
OWASP XSS ChEF 18
OWASP Chrome extensions v1 summary  UI page XSS is very common  note taking  developer tools  RSS readers  Each XSS has big impact  How do you eradicate XSS without relying on developers? 19
OWASP 20
OWASP Manifest v2 fixes 21
OWASP Manifest v2 22  Content Security Policy obligatory for UI pages  no eval()  no inline scripting  no external scripts  XSS exploitation very difficult  Manifest v1 extensions slowly deprecating  Jan 2014 - Chrome stops running them  All fixed? script-src 'self'; object-src 'self'
OWASP Exploiting v2 extensions 23
OWASP UI page XSS - new vectors  eval() used in JS templating libraries  mustachejs  underscorejs  jQuery template  hoganjs  ...  Possible to relax CSP to allow unsafe-eval  Some extensions use it 24
OWASP Content script XSS  Content scripts not subject to CSP  Go figure... 25
OWASP 26
OWASP 26
OWASP 26
OWASP Content script XSS  XSS in http://  chrome-extension CSP bypass  access to DOM  access to cookies 27
OWASP As sexy as self XSS... 28
OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29
OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ]
OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ] 40%
OWASP Content script XSS  Introducing Mosquito  (Another) Chrome Extension XSS Exploitation tool  XSS-Proxy for the new era 30 http://www.growingherbsforbeginners.com/growing-herbs-for-mosquito-season/ https://github.com/koto/mosquito
OWASP Mosquito 31 XSS ws:// HTTP/S proxy  inspired by MalaRIA by Erlend Oftedal  and BeEF tunneling proxy by @antisnatchor x = new XMLHttpRequest(); x.open("GET", 'http://gmail.com', false); x.setRequestHeader('X-Mosquito', 'yeah!'); x.send(null); GET http://gmail.com HTTP/1.1 Host: gmail.com X-Mosquito: yeah!
OWASP DEMO TIME  v 1.0.3.3  https://chrome.google.com/webstore/detail/ anydo/kdadialhpiikehpdeejjeiikopddkjem  0.5 mln users  found by Sergey Belov 32
OWASP NPAPI plugins vulnerabilities  UI page gets the payload  Forwards it to NPAPI plugin  Binary vulnerability in plugin  buffer overflow  command injection  ...  Code run with OS user permission  No sandbox! 33
OWASP 34
OWASP 34
OWASP 34
OWASP 34
OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4
OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/ Linux) hQIOA5iUCyMfX/ D2EAgAhikRs40xo05gNu9XSIO2jrjTI ShwfWK2d7+9xlv9UjDN ... -----END PGP MESSAGE-----
OWASP Bonus  CSP bypass through filesystem: API  Filesystem API - virtual filesystem for HTML app  filesystem:http://example.com/file.png  filesystem:chrome-extension://<id>/path.html  Postman - REST client  v 0.8.1  180K users  including @webtonull 36
OWASP Summary  Chrome extensions v2 still XSSable  CSP should be treated as mitigation, not prevention  New tools for attack 37
OWASP EOF  @kkotowicz  http://blog.kotowicz.net  https://github.com/koto  More research:  Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black Hat 2011)  http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf  http://kotowicz.net/bh2012/advanced-chrome-extension- exploitation-osborn-kotowicz.pdf  Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec, @johnwilander, @garethheyes, @antisnatchor, @freddyb,@internot_, @pdjstone, .... 38

Recommended

Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
How Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing SimplerHow Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing SimplerAkamai Developers & Admins
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 

Recommended

Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
How Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing SimplerHow Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing SimplerAkamai Developers & Admins
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
A Journey from Hexagonal Architecture to Event Sourcing
A Journey from Hexagonal Architecture to Event SourcingA Journey from Hexagonal Architecture to Event Sourcing
A Journey from Hexagonal Architecture to Event SourcingCarlos Buenosvinos
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoningAlexandraLacatus
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOpsGene Gotimer
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Conférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomConférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomFlorence Devouard
 

More Related Content

What's hot

Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
A Journey from Hexagonal Architecture to Event Sourcing
A Journey from Hexagonal Architecture to Event SourcingA Journey from Hexagonal Architecture to Event Sourcing
A Journey from Hexagonal Architecture to Event SourcingCarlos Buenosvinos
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOpsGene Gotimer
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 

What's hot (20)

Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
A Journey from Hexagonal Architecture to Event Sourcing
A Journey from Hexagonal Architecture to Event SourcingA Journey from Hexagonal Architecture to Event Sourcing
A Journey from Hexagonal Architecture to Event Sourcing
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 

Viewers also liked

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Conférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomConférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomFlorence Devouard
 
Certificate of Completion
Certificate of CompletionCertificate of Completion
Certificate of CompletionDavid Lim
 
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)Dementia Friendly Japan Initiative
 
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...The Rockefeller Foundation
 
USA on the Web
USA on the WebUSA on the Web
USA on the Webron mader
 
2016 Veteran Insights Report
2016 Veteran Insights Report2016 Veteran Insights Report
2016 Veteran Insights ReportLinkedIn for Good
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
NV kunstenaar Jan De Cock in de financiële problemen
NV kunstenaar Jan De Cock in de financiële problemenNV kunstenaar Jan De Cock in de financiële problemen
NV kunstenaar Jan De Cock in de financiële problemenThierry Debels
 
Church. Got an app for that?
Church. Got an app for that?Church. Got an app for that?
Church. Got an app for that?ASDSVV
 
Symbiosis international university
Symbiosis international universitySymbiosis international university
Symbiosis international universityyunus khan
 
PrivateWave - sales presentation_en
PrivateWave - sales presentation_enPrivateWave - sales presentation_en
PrivateWave - sales presentation_enMarco Pissarello
 
Greythorn Market Insights - February 2013
Greythorn Market Insights - February 2013Greythorn Market Insights - February 2013
Greythorn Market Insights - February 2013GreythornAU
 
Grafico diario del dax perfomance index para el 12 12-2012
Grafico diario del dax perfomance index para el 12 12-2012Grafico diario del dax perfomance index para el 12 12-2012
Grafico diario del dax perfomance index para el 12 12-2012Experiencia Trading
 
Jane's Pick of 10 Learning Tools for SchoolNetSA
Jane's Pick of 10 Learning Tools for SchoolNetSAJane's Pick of 10 Learning Tools for SchoolNetSA
Jane's Pick of 10 Learning Tools for SchoolNetSAJane Hart
 

Viewers also liked (20)

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Conférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'EracomConférence Wikipedia pour l'Eracom
Conférence Wikipedia pour l'Eracom
 
Certificate of Completion
Certificate of CompletionCertificate of Completion
Certificate of Completion
 
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
バリアフリー推進ワークショップ(交通エコロジー・モビリティ財団)
 
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
Streams of Social Impact Work: Building Bridges in a New Evaluation Era with ...
 
USA on the Web
USA on the WebUSA on the Web
USA on the Web
 
2016 Veteran Insights Report
2016 Veteran Insights Report2016 Veteran Insights Report
2016 Veteran Insights Report
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
NV kunstenaar Jan De Cock in de financiële problemen
NV kunstenaar Jan De Cock in de financiële problemenNV kunstenaar Jan De Cock in de financiële problemen
NV kunstenaar Jan De Cock in de financiële problemen
 
Publish
PublishPublish
Publish
 
Church. Got an app for that?
Church. Got an app for that?Church. Got an app for that?
Church. Got an app for that?
 
My social representation
My social representationMy social representation
My social representation
 
Symbiosis international university
Symbiosis international universitySymbiosis international university
Symbiosis international university
 
Kunst, økonomi, kreativ kapitalisme
Kunst, økonomi, kreativ kapitalismeKunst, økonomi, kreativ kapitalisme
Kunst, økonomi, kreativ kapitalisme
 
PrivateWave - sales presentation_en
PrivateWave - sales presentation_enPrivateWave - sales presentation_en
PrivateWave - sales presentation_en
 
Greythorn Market Insights - February 2013
Greythorn Market Insights - February 2013Greythorn Market Insights - February 2013
Greythorn Market Insights - February 2013
 
Grafico diario del dax perfomance index para el 12 12-2012
Grafico diario del dax perfomance index para el 12 12-2012Grafico diario del dax perfomance index para el 12 12-2012
Grafico diario del dax perfomance index para el 12 12-2012
 
Jane's Pick of 10 Learning Tools for SchoolNetSA
Jane's Pick of 10 Learning Tools for SchoolNetSAJane's Pick of 10 Learning Tools for SchoolNetSA
Jane's Pick of 10 Learning Tools for SchoolNetSA
 

Similar to Attacking Chrome Extensions: Exploiting Vulnerabilities and Bypassing Defenses

Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxrichardnorman90310
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detectorguest31a5be
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing MsdAung Khant
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...cresco
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 

Similar to Attacking Chrome Extensions: Exploiting Vulnerabilities and Bypassing Defenses (20)

Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
4.Xss
4.Xss4.Xss
4.Xss
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detector
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
Students of Navgujarat College of Computer Applications, Ahmedabad felt excit...
 
Antiviruxss
AntiviruxssAntiviruxss
Antiviruxss
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 

More from Krzysztof Kotowicz

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffKrzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comesKrzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptKrzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Krzysztof Kotowicz
 

More from Krzysztof Kotowicz (15)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Attacking Chrome Extensions: Exploiting Vulnerabilities and Bypassing Defenses

  • 1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org I'm in ur browser, pwning your stuff Attacking (with) Google Chrome extensions Krzysztof Kotowicz SecuRing kkotowicz@securing.pl
  • 2. OWASP About me Security research client side security HTML5 UI redressing Chrome extensions Black Hat USA, BruCON, Hack in Paris, CONFidence, ... IT security consultant @ SecuRing web app, mobile pentests security code reviews 2
  • 3. OWASP Plan 3 Chrome Extensions architecture Exploiting legacy (v1) extensions Manifest v2 fixes Exploiting v2 extensions "Break The Batman Part 3" by Eric Merced / Eric Merced aka stickfiguredancer
  • 4. OWASP Chrome Extensions  Not plugins (Java, Flash, ...)  HTML5 applications  html, javascript, css Installed from Chrome Web Store  Access to privileged API  chrome.tabs  chrome.bookmarks  chrome.history  chrome.cookies 4
  • 5. OWASP Chrome Extensions - components  UI pages  background page  option pages  extension UI Content scripts  run alongside website  interaction with websites 5
  • 6. OWASP 6 Diagram by Wade Alcorn. Thanks!
  • 7. OWASP Chrome Extensions - manifest Manifest lists permissions, UI pages, content scripts 7 { "manifest_version": 2, "name": "Sample Extension", "content_scripts": [ { "matches": ["http://www.google.com/*"], "js": ["jquery.js", "myscript.js"] } ], "background": { "page": "background.html" }, "permissions": [ "tabs", "bookmarks", "cookies" "http://*/*", "https://*/*", ] }
  • 8. OWASP Chrome Extensions - restrictions 8 scheme websites chrome API UI page content script chrome- extension:// - ✔ limited by permissions http:// ✔ limited by URL -
  • 11. OWASP UI page DOM XSS  content-script takes data off website DOM  sends it to UI page  view fails to escape data upon viewing it  cross-zone DOM XSS 11
  • 15. OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
  • 16. OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
  • 17. OWASP Exploiting UI page XSS  Chrome Extension Exploitation Framework  BEEF for Chrome extensions 14 https://github.com/koto/xsschef
  • 22. OWASP Chrome extensions v1 summary  UI page XSS is very common  note taking  developer tools  RSS readers  Each XSS has big impact  How do you eradicate XSS without relying on developers? 19
  • 25. OWASP Manifest v2 22  Content Security Policy obligatory for UI pages  no eval()  no inline scripting  no external scripts  XSS exploitation very difficult  Manifest v1 extensions slowly deprecating  Jan 2014 - Chrome stops running them  All fixed? script-src 'self'; object-src 'self'
  • 27. OWASP UI page XSS - new vectors  eval() used in JS templating libraries  mustachejs  underscorejs  jQuery template  hoganjs  ...  Possible to relax CSP to allow unsafe-eval  Some extensions use it 24
  • 28. OWASP Content script XSS  Content scripts not subject to CSP  Go figure... 25
  • 32. OWASP Content script XSS  XSS in http://  chrome-extension CSP bypass  access to DOM  access to cookies 27
  • 33. OWASP As sexy as self XSS... 28
  • 34. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29
  • 35. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ]
  • 36. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ] 40%
  • 37. OWASP Content script XSS  Introducing Mosquito  (Another) Chrome Extension XSS Exploitation tool  XSS-Proxy for the new era 30 http://www.growingherbsforbeginners.com/growing-herbs-for-mosquito-season/ https://github.com/koto/mosquito
  • 38. OWASP Mosquito 31 XSS ws:// HTTP/S proxy  inspired by MalaRIA by Erlend Oftedal  and BeEF tunneling proxy by @antisnatchor x = new XMLHttpRequest(); x.open("GET", 'http://gmail.com', false); x.setRequestHeader('X-Mosquito', 'yeah!'); x.send(null); GET http://gmail.com HTTP/1.1 Host: gmail.com X-Mosquito: yeah!
  • 39. OWASP DEMO TIME  v 1.0.3.3  https://chrome.google.com/webstore/detail/ anydo/kdadialhpiikehpdeejjeiikopddkjem  0.5 mln users  found by Sergey Belov 32
  • 40. OWASP NPAPI plugins vulnerabilities  UI page gets the payload  Forwards it to NPAPI plugin  Binary vulnerability in plugin  buffer overflow  command injection  ...  Code run with OS user permission  No sandbox! 33
  • 45. OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4
  • 46. OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/ Linux) hQIOA5iUCyMfX/ D2EAgAhikRs40xo05gNu9XSIO2jrjTI ShwfWK2d7+9xlv9UjDN ... -----END PGP MESSAGE-----
  • 47. OWASP Bonus  CSP bypass through filesystem: API  Filesystem API - virtual filesystem for HTML app  filesystem:http://example.com/file.png  filesystem:chrome-extension://<id>/path.html  Postman - REST client  v 0.8.1  180K users  including @webtonull 36
  • 48. OWASP Summary  Chrome extensions v2 still XSSable  CSP should be treated as mitigation, not prevention  New tools for attack 37
  • 49. OWASP EOF  @kkotowicz  http://blog.kotowicz.net  https://github.com/koto  More research:  Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black Hat 2011)  http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf  http://kotowicz.net/bh2012/advanced-chrome-extension- exploitation-osborn-kotowicz.pdf  Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec, @johnwilander, @garethheyes, @antisnatchor, @freddyb,@internot_, @pdjstone, .... 38