postmessage security in chrome extensions · 2020. 1. 17. · postmessagein chrome extensions...
TRANSCRIPT
$whoami
• WebapplicationsecurityresearcheratPositiveTechnologies
• MemberofPositiveHackDays(https://phdays.com)conferenceboard
• Occasionalwebsecurityblogger(https://raz0r.name)
Agenda
• Chromeextensions&theirmessaging• PostMessage securityconsiderations• Mountingextensionsanalysis• Theresults!• Thetakeaways
CHROMEEXTENSIONS&THEIRMESSAGING
PartI
Chromeextensionsecosystem
• ChromeWebStoreisnotoriouslyknownintermsofsecurity(unintuitivepermissionsdialogs,malware&insecureextensions)
Chromeextensionsmessaging
Extensionmanifestfile{
"name": “My Extension",
"description": “My Super Chrome Extension",
"version": “1.0",
"background": {
"scripts": [“js/background.js"]
},
"content_scripts": [
{
"matches": ["<all_urls>"],
"js": ["js/jquery.js", "js/content.js"]
}
],
"permissions": ["tabs", "http://*/*", "https://*/*"]
}
POSTMESSAGE SECURITYCONSIDERATIONS
PartII
PostMessage API
window.postMessage()methodenablescross-origincommunication
someWindow.postMessage(
"my message", // message data
"*", // target origin
);
PostMessage API
Developerisinchargeoforiginvalidation
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event) {if (event.origin !== "http://example.org")
return; // checking origin hostif (event.source !== window)
return; // or origin windowprocess(event.data);
}
PostMessage API
• Iforiginvalidationisabsentorisflawed,anattacker’smessagedatacanreachdangerouspiecesofcode.
• See“ThepitfallsofpostMessage”byMathiasKarlsson forcommonoriginvalidationbypasses.
PostMessage API
• UnlikeotherDOMevents,messagepropagationtolistenerscannotbestoppedviareturn false or stopPropagation().
• Extensions’messagelistenersarenotlistedinChromeDeveloperTools.
PostMessage AttackVectors
Method1:iframes
var iframe = document.createElement("iframe");
iframe.src = "http://target.com";
iframe.contentWindow.postMessage("some message", "*");
Pros:stealthyCons:killedbyX-Frame-Optionsandframebusters
PostMessage AttackVectors
Method2:openinganewwindow
var targetWindow = window.open("http://target.com");
targetWindow.onload = function() {
targetWindow.postMessage("some message", "*");
}
Pros:notaffectedbyX-Frame-OptionsCons:morenoisy
PostMessage inChromeextensions
• ChromeextensionsusepostMessage APItoreceivemessagesfromexternalwebsites(e.g.translatorservices)orwithinthesameorigin(especiallyindevelopertoolsextensions)
• postMessage datacanbepassedintobackgroundscriptcontext,andinsomecasesevenreachOSviaNativeMessagingAPI
MOUNTINGEXTENSIONSANALYSISPartIII
TheResearchSteps
• Downloadextensions(WebDevelopmentcategoryonly)
TheResearchSteps
• ParseCRXfiles(https://github.com/vladignatyev/crx-extractor)
• ConverttoZIP• Unpack
TheResearchSteps
• ParseManifestfile,findcontentscripts• ParseeachcontentscriptwithAcornJSparser(https://github.com/ternjs/acorn)
• LookforpostMessage listenerswithanAcornplugin
TheResearchSteps
• LogeachpostMessage listenerfoundintolocalelasticsearch
THERESULTSPartIV
ReactDev Tools
• HavegotpostMessage protectionjustrecentlybyanexternalPR:
ReactDev Tools
• Priortothefixmessagewasvalidatedbyjustcheckingaspecialproperty(whichisusercontrolled):
EmberInspector
• Nooriginvalidation,but,luckily,datadoesnotreachsensitiveparts.
AngularJS Batarang (Angularv1.x)
• Developershavenocluehowtovalidateorigin
Augury(Angularv2.x)
• Again,originvalidationisjustcheckingamagicstring
Augury(Angularv2.x)
• Auguryemploysinterestingmessageserialization:
Augury(Angularv2.x)
• XSSonanywebsitewiththeextensioninstalled
Augury(Angularv2.x)
LanSweeper ShellExecute
LanSweeper ShellExecute
LanSweeper ShellExecute
THETAKEAWAYSPartV
Thetakeaways
• Forusers:– donotinstallshadyextensionsfromunknownpublishers
– checkrequestedpermissions
Thetakeaways
• Fordevelopers:– payattentiontooriginvalidationinmessagelisteners
– consideroriginbypasstricks– donotrelyonmagicstrings
Thetakeaways
• Forbrowsers:– shouldprovidebuilt-inoriginvalidation– seegetMessage proposalby@homakov
Thankyou!