SlideShare a Scribd company logo

Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu Shukla

Download as PPTX, PDF
D
Divyanshu

Browser exploitation| Reporting vulnerability in top browsers and finding CVE. Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup Thanks to respective researchers for their work.

Related slideshows

Large-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteLarge-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path Overwrite
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Object Oriented Programming with Laravel - Session 4
Object Oriented Programming with Laravel - Session 4Object Oriented Programming with Laravel - Session 4
Object Oriented Programming with Laravel - Session 4
 
1 of 21
Divyanshu Shukla (justm0rph3u5) Information Security Engineer Browser Hacking For Fun & Profit @justm0rph3u5 @justm0rph3u5
Agenda • Introduction of Browsers • Working of Browsers • Basic Features • Origin and Same Origin Policy • Same Origin Policy in action • Content Security Policy • Common Attacks on Browsers/WebView • RCE and Cross Scheme Data Exposure • Demo For UXSS • Demo For Denial Of Service • Demo For SOP Same Origin Bypasses • Demo For Address Bar Spoofing in Android • Demo For Address Bar Spoofing in Safari • Demo For Content Spoofing
Working Of Browsers
Basic Features Features Provided By Browser: • Multiple tabs • Address bar • Autocomplete • Password manager Downloads • Support for untrusted SSL certificates • Safety ratings • Malware protection • Cloud integration • Adware Blocker, etc.
Origin Origin Two URLs have the same origin if the protocol, port (if specified), and host are the same for both.
Same Origin Policy Same Origin • The same-origin policy is a critical security mechanism that restricts how a document is loaded from one origin can interact with a resource from another origin. • In simple words, two webpages are on same origin if they have the same URL scheme, hostname and port number. Same Origin Bypass • SOP bypasses is mostly occurred due to logical confusion between different layers where one layer parses the input in a different way and another in a different way.
SOP In Action Code For SOP <script> var x = new XMLHttpRequest(); x.open('GET','http://www.gmail.com', true) x.send() document.write(x.responseText); </script> SOP restricts it from accessing contents present at https://www.gmail.com due to scheme and host mismatch.
Content Security Policy CSP & CSP Bypass • Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate cert ain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. • CSP bypass in not always a security bug. • Content-Security-Policy: policy
Common Attacks • Cross Scheme Data Exposure Attacks • Remote Code Execution • DOS • UXSS • SOP Bypass • Spoofing • Fuzzing Most Common Attacks on WebView/Browsers SOP bypass / UXSS
RCE and Cross Scheme Data Exposure Cross Scheme Data Exposure • In browser modern HTTP and file scheme (file:///etc/passwd) are both treated as a different origin. If javascript at HTTP scheme can load and read local files it results in a SOP bypass and causes directory traversal attacks • Mozilla provides a component known as “nsILocalFile” and it is possible to navigate to different path separators used on different platforms, query the state ofany file or directory. • This component can be refer using the string '@mozilla.org/file/local;1‘ to create an instance whi ch can alsobe known as Contract. • This caused code execution. Remote Code Execution
Demo for Denial Of Service Denial of Service • Denial of Service Vulnerability is when application fails to provide service and crashes. • Here SetInterval function was used to exploit in the browser for this case. This vulnerability makes the resource unavailable and thus the browser crashes. • Browser allows javascript to update the address bar while the page is still loading which is causing browsers to crash or freeze thus causing dos attack. • Mitigation: For solution browser window should not be allowed to update address page while loadi ng. The application should be able to handle exceptions instead of freezing. • Code Url: https://justmorpheus.000webhostapp.com/null/dos.html • Demo Video
Demo For Universal XSS CVE-2019-13607* : UXSS via Javascript Protocol • Attacker controlled domain returns "javascript:code_here" in "location" header then browser executes the javascript code in the context of target domain instead of attacker domain. • The value of "location" header is "javascript:alert()" then javascript code "alert()" gets executed by the browser. • Mitigation: Browser should not be allowed to execute the javascript code in the context of the domain from where the navigation was initiated. • Code Url: http://rakeshmane.com/secret.html • Demo Video Thanks to Rakesh Mane for discovering UXSS
UXSS / SOP Bypass Stealing Credentials • A server-redirect combined with a data-uri end up bypassing the Same Origin Policy, which leads t o all kind of vulnerabilities like stealing user passwords in plain-text (thanks to the password mana ger), grabbing cookies, spoofing the content and referrer, etc. • The rule of thumb when discussing defending against UXSS is have everything patched and up to date.
Demo For Same Origin Policy Bypass CVE-2019-14962: SOP Bypass via URL Spoofing • A SOP bypass is when a javascript present in the origin like example.com is able to access proper ties of webpage on another origin http://example2.com such as cookies, location, response, etc. • It occurs in the browser when window.open() opens a new child tab and rewrites in the innerHTML to gather credentials using fake pop up alert. • Mitigation: By keeping a check on creating model regarding SOP and also by decreasing the comp lexity of JavaScript and DOM. • Code Url: https://justmorpheus.000webhostapp.com/null/sopbypass.html • Demo Video
Spoofing Attacks Introduction to Spoofing Attacks • Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" . • Initialize and Interrupt” technique. • Load and Overwrite Race Conditions • Loading Loop • Spoofing Using RTL Characters • Content Spoofing via Popup
Demo For Address Bar Spoofing CVE-2019–12278 : Address Bar Spoofing Using RTL Characters • Opera android suffers from address bar spoofing vulnerability. Characters from languages are suc h as Persian, Arabic are displayed in right to left order, usage prescribed is Unicode Bidirectional A lgorithm. Unicode characters such as U+08FF, U+FB50, etc are rendered from right to left so it ca n be used to spoof the URL. • Mitigation: All these URLs must be rendered in similar fashion i.e. left to right. Check the RFC for more details. • Malicious URL: http://3.17.56.213/%EF%B9%B0/https://google.com/links http:// ‫اردو‬/ google.com/links • Demo/Writeup: Opera Android Address Bar Spoofing: CVE-2019–12278
Demo: RTL Character Opera
Demo For Content Spoofing Content Spoofing and Malicious File Download • This issue occurs when an attacker is able to spoof dialog boxes as well as partial content. This can lead to phishing attacks. Some browsers also fail to respond. • The attacker is able to control partial content via jsalert() and thus any innocent victim can enter their credentials since alert is on the genuine site rather than appearing on parent domain. • Mitigation: Webview fails to overwrite the WebChromeClient.onJsAlert() responsible for displaying alert box and this way webview is not able to switch the alert function to the correct tab. • Demo URL: https://justmorpheus.000webhostapp.com/day3/content2.html • Demo Video
Demo For URL Bar Spoofing in Safari CVE-2019-8727 :Spoofing in Safari for iOS 12.3 and iOS 13 Beta • Due to insecure design principles, safari failed to handle setTimeout and setInterval methods, th us causing a delay in the loading webpage for the non-existent port. • Code: <script> setTimeout(function(){ function spoof() { window.location.assign(“https://www.bankofamerica.com:8090");} setInterval(spoof(),50000); }, 100); </script> • Mitigation: By resetting the document object model like by displaying a white page, or showing a p rogress bar or completely redirecting to the genuine page. • Code Url: https://justmorpheus.000webhostapp.com/null/boa.html • Demo/Writeup: URL Bar Spoofing Flaw in Safari for iOS 12.3 and iOS 13 Beta | CVE-2019-8727
References • https://www.blackhat.com/docs/asia-16/materials/asia-16-Baloch-Bypassing-Browser-Security-Poli cies-For-Fun-And-Profit.pdf – By Rafay Baloch • https://www.bugcrowd.com/resources/webinars/browser-exploitation-for-fun-and-profit/ - By Dhiraj Mishra • https://cyberweek.ae/materials/D2%20COMMSEC%20-%20Call%20Of%20Duty-%20Modern%20 Browser%20Warfare%20-%20Dhiraj%20Mishra.pdf • https://runic.pl/hitb-ios-browsers.pdf • PPT: https://www.free-powerpoint-templates-design.com
For writeups: https://medium.com/@justm0rph3u5

More Related Content

Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu Shukla

  • 1. Divyanshu Shukla (justm0rph3u5) Information Security Engineer Browser Hacking For Fun & Profit @justm0rph3u5 @justm0rph3u5
  • 2. Agenda • Introduction of Browsers • Working of Browsers • Basic Features • Origin and Same Origin Policy • Same Origin Policy in action • Content Security Policy • Common Attacks on Browsers/WebView • RCE and Cross Scheme Data Exposure • Demo For UXSS • Demo For Denial Of Service • Demo For SOP Same Origin Bypasses • Demo For Address Bar Spoofing in Android • Demo For Address Bar Spoofing in Safari • Demo For Content Spoofing
  • 4. Basic Features Features Provided By Browser: • Multiple tabs • Address bar • Autocomplete • Password manager Downloads • Support for untrusted SSL certificates • Safety ratings • Malware protection • Cloud integration • Adware Blocker, etc.
  • 5. Origin Origin Two URLs have the same origin if the protocol, port (if specified), and host are the same for both.
  • 6. Same Origin Policy Same Origin • The same-origin policy is a critical security mechanism that restricts how a document is loaded from one origin can interact with a resource from another origin. • In simple words, two webpages are on same origin if they have the same URL scheme, hostname and port number. Same Origin Bypass • SOP bypasses is mostly occurred due to logical confusion between different layers where one layer parses the input in a different way and another in a different way.
  • 7. SOP In Action Code For SOP <script> var x = new XMLHttpRequest(); x.open('GET','http://www.gmail.com', true) x.send() document.write(x.responseText); </script> SOP restricts it from accessing contents present at https://www.gmail.com due to scheme and host mismatch.
  • 8. Content Security Policy CSP & CSP Bypass • Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate cert ain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. • CSP bypass in not always a security bug. • Content-Security-Policy: policy
  • 9. Common Attacks • Cross Scheme Data Exposure Attacks • Remote Code Execution • DOS • UXSS • SOP Bypass • Spoofing • Fuzzing Most Common Attacks on WebView/Browsers SOP bypass / UXSS
  • 10. RCE and Cross Scheme Data Exposure Cross Scheme Data Exposure • In browser modern HTTP and file scheme (file:///etc/passwd) are both treated as a different origin. If javascript at HTTP scheme can load and read local files it results in a SOP bypass and causes directory traversal attacks • Mozilla provides a component known as “nsILocalFile” and it is possible to navigate to different path separators used on different platforms, query the state ofany file or directory. • This component can be refer using the string '@mozilla.org/file/local;1‘ to create an instance whi ch can alsobe known as Contract. • This caused code execution. Remote Code Execution
  • 11. Demo for Denial Of Service Denial of Service • Denial of Service Vulnerability is when application fails to provide service and crashes. • Here SetInterval function was used to exploit in the browser for this case. This vulnerability makes the resource unavailable and thus the browser crashes. • Browser allows javascript to update the address bar while the page is still loading which is causing browsers to crash or freeze thus causing dos attack. • Mitigation: For solution browser window should not be allowed to update address page while loadi ng. The application should be able to handle exceptions instead of freezing. • Code Url: https://justmorpheus.000webhostapp.com/null/dos.html • Demo Video
  • 12. Demo For Universal XSS CVE-2019-13607* : UXSS via Javascript Protocol • Attacker controlled domain returns "javascript:code_here" in "location" header then browser executes the javascript code in the context of target domain instead of attacker domain. • The value of "location" header is "javascript:alert()" then javascript code "alert()" gets executed by the browser. • Mitigation: Browser should not be allowed to execute the javascript code in the context of the domain from where the navigation was initiated. • Code Url: http://rakeshmane.com/secret.html • Demo Video Thanks to Rakesh Mane for discovering UXSS
  • 13. UXSS / SOP Bypass Stealing Credentials • A server-redirect combined with a data-uri end up bypassing the Same Origin Policy, which leads t o all kind of vulnerabilities like stealing user passwords in plain-text (thanks to the password mana ger), grabbing cookies, spoofing the content and referrer, etc. • The rule of thumb when discussing defending against UXSS is have everything patched and up to date.
  • 14. Demo For Same Origin Policy Bypass CVE-2019-14962: SOP Bypass via URL Spoofing • A SOP bypass is when a javascript present in the origin like example.com is able to access proper ties of webpage on another origin http://example2.com such as cookies, location, response, etc. • It occurs in the browser when window.open() opens a new child tab and rewrites in the innerHTML to gather credentials using fake pop up alert. • Mitigation: By keeping a check on creating model regarding SOP and also by decreasing the comp lexity of JavaScript and DOM. • Code Url: https://justmorpheus.000webhostapp.com/null/sopbypass.html • Demo Video
  • 15. Spoofing Attacks Introduction to Spoofing Attacks • Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" . • Initialize and Interrupt” technique. • Load and Overwrite Race Conditions • Loading Loop • Spoofing Using RTL Characters • Content Spoofing via Popup
  • 16. Demo For Address Bar Spoofing CVE-2019–12278 : Address Bar Spoofing Using RTL Characters • Opera android suffers from address bar spoofing vulnerability. Characters from languages are suc h as Persian, Arabic are displayed in right to left order, usage prescribed is Unicode Bidirectional A lgorithm. Unicode characters such as U+08FF, U+FB50, etc are rendered from right to left so it ca n be used to spoof the URL. • Mitigation: All these URLs must be rendered in similar fashion i.e. left to right. Check the RFC for more details. • Malicious URL: http://3.17.56.213/%EF%B9%B0/https://google.com/links http:// ‫اردو‬/ google.com/links • Demo/Writeup: Opera Android Address Bar Spoofing: CVE-2019–12278
  • 18. Demo For Content Spoofing Content Spoofing and Malicious File Download • This issue occurs when an attacker is able to spoof dialog boxes as well as partial content. This can lead to phishing attacks. Some browsers also fail to respond. • The attacker is able to control partial content via jsalert() and thus any innocent victim can enter their credentials since alert is on the genuine site rather than appearing on parent domain. • Mitigation: Webview fails to overwrite the WebChromeClient.onJsAlert() responsible for displaying alert box and this way webview is not able to switch the alert function to the correct tab. • Demo URL: https://justmorpheus.000webhostapp.com/day3/content2.html • Demo Video
  • 19. Demo For URL Bar Spoofing in Safari CVE-2019-8727 :Spoofing in Safari for iOS 12.3 and iOS 13 Beta • Due to insecure design principles, safari failed to handle setTimeout and setInterval methods, th us causing a delay in the loading webpage for the non-existent port. • Code: <script> setTimeout(function(){ function spoof() { window.location.assign(“https://www.bankofamerica.com:8090");} setInterval(spoof(),50000); }, 100); </script> • Mitigation: By resetting the document object model like by displaying a white page, or showing a p rogress bar or completely redirecting to the genuine page. • Code Url: https://justmorpheus.000webhostapp.com/null/boa.html • Demo/Writeup: URL Bar Spoofing Flaw in Safari for iOS 12.3 and iOS 13 Beta | CVE-2019-8727
  • 20. References • https://www.blackhat.com/docs/asia-16/materials/asia-16-Baloch-Bypassing-Browser-Security-Poli cies-For-Fun-And-Profit.pdf – By Rafay Baloch • https://www.bugcrowd.com/resources/webinars/browser-exploitation-for-fun-and-profit/ - By Dhiraj Mishra • https://cyberweek.ae/materials/D2%20COMMSEC%20-%20Call%20Of%20Duty-%20Modern%20 Browser%20Warfare%20-%20Dhiraj%20Mishra.pdf • https://runic.pl/hitb-ios-browsers.pdf • PPT: https://www.free-powerpoint-templates-design.com

Editor's Notes

  1. From Dhiraj Mishra’s PPT