Top Banner
PostMessage Security in Chrome Extensions Arseny Reutov [email protected] https://raz0r.name OWASP London Chapter
37

PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Jul 10, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage Security in Chrome ExtensionsArseny [email protected]://raz0r.name

OWASP London Chapter

Page 2: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

$whoami

• WebapplicationsecurityresearcheratPositiveTechnologies

• MemberofPositiveHackDays(https://phdays.com)conferenceboard

• Occasionalwebsecurityblogger(https://raz0r.name)

Page 3: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Agenda

• Chromeextensions&theirmessaging• PostMessage securityconsiderations• Mountingextensionsanalysis• Theresults!• Thetakeaways

Page 4: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

CHROMEEXTENSIONS&THEIRMESSAGING

PartI

Page 5: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Chromeextensionsecosystem

• ChromeWebStoreisnotoriouslyknownintermsofsecurity(unintuitivepermissionsdialogs,malware&insecureextensions)

Page 6: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Chromeextensionsmessaging

Page 7: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Extensionmanifestfile{

"name": “My Extension",

"description": “My Super Chrome Extension",

"version": “1.0",

"background": {

"scripts": [“js/background.js"]

},

"content_scripts": [

{

"matches": ["<all_urls>"],

"js": ["js/jquery.js", "js/content.js"]

}

],

"permissions": ["tabs", "http://*/*", "https://*/*"]

}

Page 8: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

POSTMESSAGE SECURITYCONSIDERATIONS

PartII

Page 9: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage API

window.postMessage()methodenablescross-origincommunication

someWindow.postMessage(

"my message", // message data

"*", // target origin

);

Page 10: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage API

Developerisinchargeoforiginvalidation

window.addEventListener("message", receiveMessage, false);

function receiveMessage(event) {if (event.origin !== "http://example.org")

return; // checking origin hostif (event.source !== window)

return; // or origin windowprocess(event.data);

}

Page 11: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage API

• Iforiginvalidationisabsentorisflawed,anattacker’smessagedatacanreachdangerouspiecesofcode.

• See“ThepitfallsofpostMessage”byMathiasKarlsson forcommonoriginvalidationbypasses.

Page 12: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage API

• UnlikeotherDOMevents,messagepropagationtolistenerscannotbestoppedviareturn false or stopPropagation().

• Extensions’messagelistenersarenotlistedinChromeDeveloperTools.

Page 13: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage AttackVectors

Method1:iframes

var iframe = document.createElement("iframe");

iframe.src = "http://target.com";

iframe.contentWindow.postMessage("some message", "*");

Pros:stealthyCons:killedbyX-Frame-Optionsandframebusters

Page 14: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage AttackVectors

Method2:openinganewwindow

var targetWindow = window.open("http://target.com");

targetWindow.onload = function() {

targetWindow.postMessage("some message", "*");

}

Pros:notaffectedbyX-Frame-OptionsCons:morenoisy

Page 15: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

PostMessage inChromeextensions

• ChromeextensionsusepostMessage APItoreceivemessagesfromexternalwebsites(e.g.translatorservices)orwithinthesameorigin(especiallyindevelopertoolsextensions)

• postMessage datacanbepassedintobackgroundscriptcontext,andinsomecasesevenreachOSviaNativeMessagingAPI

Page 16: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

MOUNTINGEXTENSIONSANALYSISPartIII

Page 17: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

TheResearchSteps

• Downloadextensions(WebDevelopmentcategoryonly)

Page 18: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

TheResearchSteps

• ParseCRXfiles(https://github.com/vladignatyev/crx-extractor)

• ConverttoZIP• Unpack

Page 19: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

TheResearchSteps

• ParseManifestfile,findcontentscripts• ParseeachcontentscriptwithAcornJSparser(https://github.com/ternjs/acorn)

• LookforpostMessage listenerswithanAcornplugin

Page 20: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

TheResearchSteps

• LogeachpostMessage listenerfoundintolocalelasticsearch

Page 21: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

THERESULTSPartIV

Page 22: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

ReactDev Tools

• HavegotpostMessage protectionjustrecentlybyanexternalPR:

Page 23: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

ReactDev Tools

• Priortothefixmessagewasvalidatedbyjustcheckingaspecialproperty(whichisusercontrolled):

Page 24: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

EmberInspector

• Nooriginvalidation,but,luckily,datadoesnotreachsensitiveparts.

Page 25: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

AngularJS Batarang (Angularv1.x)

• Developershavenocluehowtovalidateorigin

Page 26: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Augury(Angularv2.x)

• Again,originvalidationisjustcheckingamagicstring

Page 27: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Augury(Angularv2.x)

• Auguryemploysinterestingmessageserialization:

Page 28: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Augury(Angularv2.x)

• XSSonanywebsitewiththeextensioninstalled

Page 29: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Augury(Angularv2.x)

Page 30: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

LanSweeper ShellExecute

Page 31: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

LanSweeper ShellExecute

Page 32: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

LanSweeper ShellExecute

Page 33: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

THETAKEAWAYSPartV

Page 34: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Thetakeaways

• Forusers:– donotinstallshadyextensionsfromunknownpublishers

– checkrequestedpermissions

Page 35: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Thetakeaways

• Fordevelopers:– payattentiontooriginvalidationinmessagelisteners

– consideroriginbypasstricks– donotrelyonmagicstrings

Page 36: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Thetakeaways

• Forbrowsers:– shouldprovidebuilt-inoriginvalidation– seegetMessage proposalby@homakov

Page 37: PostMessage Security in Chrome Extensions · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g. translator services)

Thankyou!


Related Documents
Compatibility Detector Tool of Chrome extensions

Compatibility Detector Tool of Chrome extensions

Category: Technology
The Top 10 Chrome Extensions for Entrepreneurs

The Top 10 Chrome Extensions for Entrepreneurs

Category: Business
PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.

PostMessage Security in Chrome Extensions · 2020. 1....

Category: Documents
Chrome Extensionsから見るWebExtensions

Chrome Extensionsから見るWebExtensions

Category: Software
var title = “ Google Chrome Extensions ”;

var title = “ Google Chrome Extensions ”;

Category: Documents
Useful Salesforce.com chrome extensions & Snapshots

Useful Salesforce.com chrome extensions & Snapshots

Category: Technology
Google Chrome Extensions & Plugin vs Firefox

Google Chrome Extensions & Plugin vs Firefox

Category: Education
Top 10 Google Chrome Extensions for Recruiters

Top 10 Google Chrome Extensions for Recruiters

Category: Recruiting & HR
Google Chrome & Mozilla Firefox - Plugins & Extensions

Google Chrome & Mozilla Firefox - Plugins & Extensions

Category: Documents
Awesome Chrome Extensions - laike9m.github.io Chrome Extensions!.pdf · Awesome Chrome Extensions. Checker PLUS Gmail/Calendar. Vimium The Hacker's Browser. Vimium provides keyboard

Awesome Chrome Extensions - laike9m.github.io Chrome...

Category: Documents
Top Chrome Extensions for Software Testing

Top Chrome Extensions for Software Testing

Category: Technology
Chrome Apps & Extensions

Chrome Apps & Extensions

Category: Technology