Transcript
Page 1: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage Security in Chrome ExtensionsArseny [email protected]://raz0r.name

OWASP London Chapter

Page 2: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

$whoami

• WebapplicationsecurityresearcheratPositiveTechnologies

• MemberofPositiveHackDays(https://phdays.com)conferenceboard

• Occasionalwebsecurityblogger(https://raz0r.name)

Page 3: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Agenda

• Chromeextensions&theirmessaging• PostMessage securityconsiderations• Mountingextensionsanalysis• Theresults!• Thetakeaways

Page 4: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

CHROMEEXTENSIONS&THEIRMESSAGING

PartI

Page 5: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Chromeextensionsecosystem

• ChromeWebStoreisnotoriouslyknownintermsofsecurity(unintuitivepermissionsdialogs,malware&insecureextensions)

Page 6: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Chromeextensionsmessaging

Page 7: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Extensionmanifestfile{

"name": “My Extension",

"description": “My Super Chrome Extension",

"version": “1.0",

"background": {

"scripts": [“js/background.js"]

},

"content_scripts": [

{

"matches": ["<all_urls>"],

"js": ["js/jquery.js", "js/content.js"]

}

],

"permissions": ["tabs", "http://*/*", "https://*/*"]

}

Page 8: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

POSTMESSAGE SECURITYCONSIDERATIONS

PartII

Page 9: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage API

window.postMessage()methodenablescross-origincommunication

someWindow.postMessage(

"my message", // message data

"*", // target origin

);

Page 10: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage API

Developerisinchargeoforiginvalidation

window.addEventListener("message", receiveMessage, false);

function receiveMessage(event) {if (event.origin !== "http://example.org")

return; // checking origin hostif (event.source !== window)

return; // or origin windowprocess(event.data);

}

Page 11: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage API

• Iforiginvalidationisabsentorisflawed,anattacker’smessagedatacanreachdangerouspiecesofcode.

• See“ThepitfallsofpostMessage”byMathiasKarlsson forcommonoriginvalidationbypasses.

Page 12: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage API

• UnlikeotherDOMevents,messagepropagationtolistenerscannotbestoppedviareturn false or stopPropagation().

• Extensions’messagelistenersarenotlistedinChromeDeveloperTools.

Page 13: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage AttackVectors

Method1:iframes

var iframe = document.createElement("iframe");

iframe.src = "http://target.com";

iframe.contentWindow.postMessage("some message", "*");

Pros:stealthyCons:killedbyX-Frame-Optionsandframebusters

Page 14: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage AttackVectors

Method2:openinganewwindow

var targetWindow = window.open("http://target.com");

targetWindow.onload = function() {

targetWindow.postMessage("some message", "*");

}

Pros:notaffectedbyX-Frame-OptionsCons:morenoisy

Page 15: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

PostMessage inChromeextensions

• ChromeextensionsusepostMessage APItoreceivemessagesfromexternalwebsites(e.g.translatorservices)orwithinthesameorigin(especiallyindevelopertoolsextensions)

• postMessage datacanbepassedintobackgroundscriptcontext,andinsomecasesevenreachOSviaNativeMessagingAPI

Page 16: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

MOUNTINGEXTENSIONSANALYSISPartIII

Page 17: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

TheResearchSteps

• Downloadextensions(WebDevelopmentcategoryonly)

Page 18: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

TheResearchSteps

• ParseCRXfiles(https://github.com/vladignatyev/crx-extractor)

• ConverttoZIP• Unpack

Page 19: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

TheResearchSteps

• ParseManifestfile,findcontentscripts• ParseeachcontentscriptwithAcornJSparser(https://github.com/ternjs/acorn)

• LookforpostMessage listenerswithanAcornplugin

Page 20: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

TheResearchSteps

• LogeachpostMessage listenerfoundintolocalelasticsearch

Page 21: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

THERESULTSPartIV

Page 22: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

ReactDev Tools

• HavegotpostMessage protectionjustrecentlybyanexternalPR:

Page 23: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

ReactDev Tools

• Priortothefixmessagewasvalidatedbyjustcheckingaspecialproperty(whichisusercontrolled):

Page 24: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

EmberInspector

• Nooriginvalidation,but,luckily,datadoesnotreachsensitiveparts.

Page 25: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

AngularJS Batarang (Angularv1.x)

• Developershavenocluehowtovalidateorigin

Page 26: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Augury(Angularv2.x)

• Again,originvalidationisjustcheckingamagicstring

Page 27: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Augury(Angularv2.x)

• Auguryemploysinterestingmessageserialization:

Page 28: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Augury(Angularv2.x)

• XSSonanywebsitewiththeextensioninstalled

Page 29: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Augury(Angularv2.x)

Page 30: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

LanSweeper ShellExecute

Page 31: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

LanSweeper ShellExecute

Page 32: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

LanSweeper ShellExecute

Page 33: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

THETAKEAWAYSPartV

Page 34: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Thetakeaways

• Forusers:– donotinstallshadyextensionsfromunknownpublishers

– checkrequestedpermissions

Page 35: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Thetakeaways

• Fordevelopers:– payattentiontooriginvalidationinmessagelisteners

– consideroriginbypasstricks– donotrelyonmagicstrings

Page 36: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Thetakeaways

• Forbrowsers:– shouldprovidebuilt-inoriginvalidation– seegetMessage proposalby@homakov

Page 37: PostMessage Security in Chrome Extensions - OWASP...PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator

Thankyou!


Recommended