• Home

  • Documents

  • PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions...
37
PostMessage Security in Chrome Extensions Arseny Reutov [email protected] https://raz0r.name OWASP London Chapter

PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

  • Upload
    others

  • View
    30

  • Download
    0

Embed Size (px)

Citation preview

Page 1: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage Security in Chrome ExtensionsArseny [email protected]://raz0r.name

OWASP London Chapter

Page 2: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

$whoami

• WebapplicationsecurityresearcheratPositiveTechnologies

• MemberofPositiveHackDays(https://phdays.com)conferenceboard

• Occasionalwebsecurityblogger(https://raz0r.name)

Page 3: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Agenda

• Chromeextensions&theirmessaging• PostMessage securityconsiderations• Mountingextensionsanalysis• Theresults!• Thetakeaways

Page 4: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

CHROMEEXTENSIONS&THEIRMESSAGING

PartI

Page 5: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Chromeextensionsecosystem

• ChromeWebStoreisnotoriouslyknownintermsofsecurity(unintuitivepermissionsdialogs,malware&insecureextensions)

Page 6: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Chromeextensionsmessaging

Page 7: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Extensionmanifestfile{

"name": “My Extension",

"description": “My Super Chrome Extension",

"version": “1.0",

"background": {

"scripts": [“js/background.js"]

},

"content_scripts": [

{

"matches": ["<all_urls>"],

"js": ["js/jquery.js", "js/content.js"]

}

],

"permissions": ["tabs", "http://*/*", "https://*/*"]

}

Page 8: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

POSTMESSAGE SECURITYCONSIDERATIONS

PartII

Page 9: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage API

window.postMessage()methodenablescross-origincommunication

someWindow.postMessage(

"my message", // message data

"*", // target origin

);

Page 10: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage API

Developerisinchargeoforiginvalidation

window.addEventListener("message", receiveMessage, false);

function receiveMessage(event) {if (event.origin !== "http://example.org")

return; // checking origin hostif (event.source !== window)

return; // or origin windowprocess(event.data);

}

Page 11: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage API

• Iforiginvalidationisabsentorisflawed,anattacker’smessagedatacanreachdangerouspiecesofcode.

• See“ThepitfallsofpostMessage”byMathiasKarlsson forcommonoriginvalidationbypasses.

Page 12: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage API

• UnlikeotherDOMevents,messagepropagationtolistenerscannotbestoppedviareturn false or stopPropagation().

• Extensions’messagelistenersarenotlistedinChromeDeveloperTools.

Page 13: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage AttackVectors

Method1:iframes

var iframe = document.createElement("iframe");

iframe.src = "http://target.com";

iframe.contentWindow.postMessage("some message", "*");

Pros:stealthyCons:killedbyX-Frame-Optionsandframebusters

Page 14: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage AttackVectors

Method2:openinganewwindow

var targetWindow = window.open("http://target.com");

targetWindow.onload = function() {

targetWindow.postMessage("some message", "*");

}

Pros:notaffectedbyX-Frame-OptionsCons:morenoisy

Page 15: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage inChromeextensions

• ChromeextensionsusepostMessage APItoreceivemessagesfromexternalwebsites(e.g.translatorservices)orwithinthesameorigin(especiallyindevelopertoolsextensions)

• postMessage datacanbepassedintobackgroundscriptcontext,andinsomecasesevenreachOSviaNativeMessagingAPI

Page 16: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

MOUNTINGEXTENSIONSANALYSISPartIII

Page 17: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

TheResearchSteps

• Downloadextensions(WebDevelopmentcategoryonly)

Page 18: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

TheResearchSteps

• ParseCRXfiles(https://github.com/vladignatyev/crx-extractor)

• ConverttoZIP• Unpack

Page 19: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

TheResearchSteps

• ParseManifestfile,findcontentscripts• ParseeachcontentscriptwithAcornJSparser(https://github.com/ternjs/acorn)

• LookforpostMessage listenerswithanAcornplugin

Page 20: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

TheResearchSteps

• LogeachpostMessage listenerfoundintolocalelasticsearch

Page 21: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

THERESULTSPartIV

Page 22: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

ReactDev Tools

• HavegotpostMessage protectionjustrecentlybyanexternalPR:

Page 23: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

ReactDev Tools

• Priortothefixmessagewasvalidatedbyjustcheckingaspecialproperty(whichisusercontrolled):

Page 24: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

EmberInspector

• Nooriginvalidation,but,luckily,datadoesnotreachsensitiveparts.

Page 25: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

AngularJS Batarang (Angularv1.x)

• Developershavenocluehowtovalidateorigin

Page 26: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Augury(Angularv2.x)

• Again,originvalidationisjustcheckingamagicstring

Page 27: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Augury(Angularv2.x)

• Auguryemploysinterestingmessageserialization:

Page 28: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Augury(Angularv2.x)

• XSSonanywebsitewiththeextensioninstalled

Page 29: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Augury(Angularv2.x)

Page 30: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

LanSweeper ShellExecute

Page 31: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

LanSweeper ShellExecute

Page 32: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

LanSweeper ShellExecute

Page 33: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

THETAKEAWAYSPartV

Page 34: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Thetakeaways

• Forusers:– donotinstallshadyextensionsfromunknownpublishers

– checkrequestedpermissions

Page 35: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Thetakeaways

• Fordevelopers:– payattentiontooriginvalidationinmessagelisteners

– consideroriginbypasstricks– donotrelyonmagicstrings

Page 36: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Thetakeaways

• Forbrowsers:– shouldprovidebuilt-inoriginvalidation– seegetMessage proposalby@homakov

Page 37: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Thankyou!


10 Overlooked Chrome Extensions Chrome

10 Overlooked Chrome Extensions Chrome

Documents
Chrome Extensions and Tools

Chrome Extensions and Tools

Documents
Best Google Chrome Email Checker & Notifier Extensions

Best Google Chrome Email Checker & Notifier Extensions

Internet
Building Chrome Extensions · “Google Chrome Extensions are applications that run inside the Chrome browser and provide additional functionality, integration with third party websites

Building Chrome Extensions · “Google Chrome Extensions are applications that run inside the Chrome browser and provide additional functionality, integration with third party websites

Documents
Abusing Chrome Extensions to Form a Bot Net - Black …€¦ · Abusing Chrome Extensions ... "tabs", "*://*.viadeo.com ... The Oldest Trick in the Book PHISHING. The Oldest Trick

Abusing Chrome Extensions to Form a Bot Net - Black …€¦ · Abusing Chrome Extensions ... "tabs", "*://*.viadeo.com ... The Oldest Trick in the Book PHISHING. The Oldest Trick

Documents
10 Most Useful Google Chrome Extensions For Students

10 Most Useful Google Chrome Extensions For Students

Education
Google Chrome Extensions to Improve Your Productivity

Google Chrome Extensions to Improve Your Productivity

Recruiting & HR
Discovering Chrome Extensions

Discovering Chrome Extensions

Documents
Top Chrome Extensions for Software Testing

Top Chrome Extensions for Software Testing

Technology
Browser Extensions in Mozilla Firefox & Google Chrome

Browser Extensions in Mozilla Firefox & Google Chrome

Technology
The Top 10 Chrome Extensions for Entrepreneurs

The Top 10 Chrome Extensions for Entrepreneurs

Business
Compatibility Detector Tool of Chrome extensions

Compatibility Detector Tool of Chrome extensions

Technology
Building & distributing chrome extensions and web apps

Building & distributing chrome extensions and web apps

Software
Useful chrome extensions for seo

Useful chrome extensions for seo

Marketing
Useful Salesforce.com chrome extensions & Snapshots

Useful Salesforce.com chrome extensions & Snapshots

Technology
60 + Chrome Apps and Extensions in 60 Minutes

60 + Chrome Apps and Extensions in 60 Minutes

Documents
Introduction to Google Chrome Extensions Development

Introduction to Google Chrome Extensions Development

Technology
U se Google Chrome Extensions With Google Plus

U se Google Chrome Extensions With Google Plus

Documents
Chrome Extensions - South Carolina ETV · Chrome Extensions Small software programs that customize the Chrome browser experience Find them at the Chrome Web Store. Screencastify Free

Chrome Extensions - South Carolina ETV · Chrome Extensions Small software programs that customize the Chrome browser experience Find them at the Chrome Web Store. Screencastify Free

Documents
PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Documents
Building testable chrome extensions

Building testable chrome extensions

Software
Chrome extensions

Chrome extensions

Software
Chrome Extensions Slides Gtugna Kick Off Meeti

Chrome Extensions Slides Gtugna Kick Off Meeti

Technology
var title = “ Google Chrome Extensions ”;

var title = “ Google Chrome Extensions ”;

Documents
Chrome Extensions for Hackers

Chrome Extensions for Hackers

Technology
10 Overlooked chrome-Extensions-chrome.pdf

10 Overlooked chrome-Extensions-chrome.pdf

Documents
Top 10 Google Chrome Extensions for Job Seekers

Top 10 Google Chrome Extensions for Job Seekers

Career
Google Chrome Apps and Extensions

Google Chrome Apps and Extensions

Education
for Google Apps Productivity Guide The Gooru’s · 2015-12-15 · Chrome Extensions The Chrome Webstore The Chrome Webstore is an online marketplace of Chrome Extensions, which you

for Google Apps Productivity Guide The Gooru’s · 2015-12-15 · Chrome Extensions The Chrome Webstore The Chrome Webstore is an online marketplace of Chrome Extensions, which you

Documents
Google Chrome Extensions var title = “ Google Chrome Extensions ”; $(this).attr(“title”, title); $(this).data({ description: ‘How to create and distribute’,

Google Chrome Extensions var title = “ Google Chrome Extensions ”; $(this).attr(“title”, title); $(this).data({ description: ‘How to create and distribute’,

Documents