PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions...
Transcript of PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions...
![Page 2: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/2.jpg)
$whoami
• WebapplicationsecurityresearcheratPositiveTechnologies
• MemberofPositiveHackDays(https://phdays.com)conferenceboard
• Occasionalwebsecurityblogger(https://raz0r.name)
![Page 3: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/3.jpg)
Agenda
• Chromeextensions&theirmessaging• PostMessage securityconsiderations• Mountingextensionsanalysis• Theresults!• Thetakeaways
![Page 4: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/4.jpg)
CHROMEEXTENSIONS&THEIRMESSAGING
PartI
![Page 5: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/5.jpg)
Chromeextensionsecosystem
• ChromeWebStoreisnotoriouslyknownintermsofsecurity(unintuitivepermissionsdialogs,malware&insecureextensions)
![Page 6: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/6.jpg)
Chromeextensionsmessaging
![Page 7: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/7.jpg)
Extensionmanifestfile{
"name": “My Extension",
"description": “My Super Chrome Extension",
"version": “1.0",
"background": {
"scripts": [“js/background.js"]
},
"content_scripts": [
{
"matches": ["<all_urls>"],
"js": ["js/jquery.js", "js/content.js"]
}
],
"permissions": ["tabs", "http://*/*", "https://*/*"]
}
![Page 8: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/8.jpg)
POSTMESSAGE SECURITYCONSIDERATIONS
PartII
![Page 9: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/9.jpg)
PostMessage API
window.postMessage()methodenablescross-origincommunication
someWindow.postMessage(
"my message", // message data
"*", // target origin
);
![Page 10: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/10.jpg)
PostMessage API
Developerisinchargeoforiginvalidation
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event) {if (event.origin !== "http://example.org")
return; // checking origin hostif (event.source !== window)
return; // or origin windowprocess(event.data);
}
![Page 11: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/11.jpg)
PostMessage API
• Iforiginvalidationisabsentorisflawed,anattacker’smessagedatacanreachdangerouspiecesofcode.
• See“ThepitfallsofpostMessage”byMathiasKarlsson forcommonoriginvalidationbypasses.
![Page 12: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/12.jpg)
PostMessage API
• UnlikeotherDOMevents,messagepropagationtolistenerscannotbestoppedviareturn false or stopPropagation().
• Extensions’messagelistenersarenotlistedinChromeDeveloperTools.
![Page 13: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/13.jpg)
PostMessage AttackVectors
Method1:iframes
var iframe = document.createElement("iframe");
iframe.src = "http://target.com";
iframe.contentWindow.postMessage("some message", "*");
Pros:stealthyCons:killedbyX-Frame-Optionsandframebusters
![Page 14: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/14.jpg)
PostMessage AttackVectors
Method2:openinganewwindow
var targetWindow = window.open("http://target.com");
targetWindow.onload = function() {
targetWindow.postMessage("some message", "*");
}
Pros:notaffectedbyX-Frame-OptionsCons:morenoisy
![Page 15: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/15.jpg)
PostMessage inChromeextensions
• ChromeextensionsusepostMessage APItoreceivemessagesfromexternalwebsites(e.g.translatorservices)orwithinthesameorigin(especiallyindevelopertoolsextensions)
• postMessage datacanbepassedintobackgroundscriptcontext,andinsomecasesevenreachOSviaNativeMessagingAPI
![Page 16: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/16.jpg)
MOUNTINGEXTENSIONSANALYSISPartIII
![Page 17: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/17.jpg)
TheResearchSteps
• Downloadextensions(WebDevelopmentcategoryonly)
![Page 18: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/18.jpg)
TheResearchSteps
• ParseCRXfiles(https://github.com/vladignatyev/crx-extractor)
• ConverttoZIP• Unpack
![Page 19: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/19.jpg)
TheResearchSteps
• ParseManifestfile,findcontentscripts• ParseeachcontentscriptwithAcornJSparser(https://github.com/ternjs/acorn)
• LookforpostMessage listenerswithanAcornplugin
![Page 20: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/20.jpg)
TheResearchSteps
• LogeachpostMessage listenerfoundintolocalelasticsearch
![Page 21: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/21.jpg)
THERESULTSPartIV
![Page 22: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/22.jpg)
ReactDev Tools
• HavegotpostMessage protectionjustrecentlybyanexternalPR:
![Page 23: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/23.jpg)
ReactDev Tools
• Priortothefixmessagewasvalidatedbyjustcheckingaspecialproperty(whichisusercontrolled):
![Page 24: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/24.jpg)
EmberInspector
• Nooriginvalidation,but,luckily,datadoesnotreachsensitiveparts.
![Page 25: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/25.jpg)
AngularJS Batarang (Angularv1.x)
• Developershavenocluehowtovalidateorigin
![Page 26: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/26.jpg)
Augury(Angularv2.x)
• Again,originvalidationisjustcheckingamagicstring
![Page 27: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/27.jpg)
Augury(Angularv2.x)
• Auguryemploysinterestingmessageserialization:
![Page 28: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/28.jpg)
Augury(Angularv2.x)
• XSSonanywebsitewiththeextensioninstalled
![Page 29: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/29.jpg)
Augury(Angularv2.x)
![Page 30: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/30.jpg)
LanSweeper ShellExecute
![Page 31: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/31.jpg)
LanSweeper ShellExecute
![Page 32: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/32.jpg)
LanSweeper ShellExecute
![Page 33: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/33.jpg)
THETAKEAWAYSPartV
![Page 34: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/34.jpg)
Thetakeaways
• Forusers:– donotinstallshadyextensionsfromunknownpublishers
– checkrequestedpermissions
![Page 35: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/35.jpg)
Thetakeaways
• Fordevelopers:– payattentiontooriginvalidationinmessagelisteners
– consideroriginbypasstricks– donotrelyonmagicstrings
![Page 36: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/36.jpg)
Thetakeaways
• Forbrowsers:– shouldprovidebuilt-inoriginvalidation– seegetMessage proposalby@homakov
![Page 37: PostMessage Security in Chrome Extensions · 2020. 1. 17. · PostMessagein Chrome extensions •Chrome extensions use postMessageAPI to receive messages from external web sites (e.g.](https://reader036.fdocuments.net/reader036/viewer/2022070115/60a126e9e765c16f224d8c36/html5/thumbnails/37.jpg)
Thankyou!