PostMessage Security in Chrome Extensions

Transcript

1. PostMessage Security in Chrome Extensions Arseny Reutov [email protected] https://raz0r.name OWASP

   London Chapter

2. $ whoami • Web application security researcher at Positive Technologies

   • Member of Positive Hack Days (https://phdays.com) conference board • Occasional web security blogger (https://raz0r.name)

3. Agenda • Chrome extensions & their messaging • PostMessage security

   considerations • Mounting extensions analysis • The results! • The takeaways

4. CHROME EXTENSIONS & THEIR MESSAGING Part I

5. Chrome extensions ecosystem • Chrome Web Store is notoriously known

   in terms of security (unintuitive permissions dialogs, malware & insecure extensions)

6. Chrome extensions messaging

7. Extension manifest file { "name": “My Extension", "description": “My Super

   Chrome Extension", "version": “1.0", "background": { "scripts": [“js/background.js"] }, "content_scripts": [ { "matches": ["<all_urls>"], "js": ["js/jquery.js", "js/content.js"] } ], "permissions": ["tabs", "http://*/*", "https://*/*"] }

8. POSTMESSAGE SECURITY CONSIDERATIONS Part II

9. PostMessage API window.postMessage() method enables cross- origin communication someWindow.postMessage( "my

   message", // message data "*", // target origin );

10. PostMessage API Developer is in charge of origin validation window.addEventListener("message",

    receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org") return; // checking origin host if (event.source !== window) return; // or origin window process(event.data); }

11. PostMessage API • If origin validation is absent or is

    flawed, an attacker’s message data can reach dangerous pieces of code. • See “The pitfalls of postMessage” by Mathias Karlsson for common origin validation bypasses.

12. PostMessage API • Unlike other DOM events, message propagation to

    listeners cannot be stopped via return false or stopPropagation(). • Extensions’ message listeners are not listed in Chrome Developer Tools.

13. PostMessage Attack Vectors Method 1: iframes var iframe = document.createElement("iframe");

    iframe.src = "http://target.com"; iframe.contentWindow.postMessage("some message", "*"); Pros: stealthy Cons: killed by X-Frame-Options and framebusters

14. PostMessage Attack Vectors Method 2: opening a new window var

    targetWindow = window.open("http://target.com"); targetWindow.onload = function() { targetWindow.postMessage("some message", "*"); } Pros: not affected by X-Frame-Options Cons: more noisy

15. PostMessage in Chrome extensions • Chrome extensions use postMessage API

    to receive messages from external web sites (e.g. translator services) or within the same origin (especially in developer tools extensions) • postMessage data can be passed into background script context, and in some cases even reach OS via Native Messaging API

16. MOUNTING EXTENSIONS ANALYSIS Part III

17. The Research Steps • Download extensions (Web Development category only)

18. The Research Steps • Parse CRX files (https://github.com/vladignatyev/crx- extractor) •

    Convert to ZIP • Unpack

19. The Research Steps • Parse Manifest file, find content scripts

    • Parse each content script with Acorn JS parser (https://github.com/ternjs/acorn) • Look for postMessage listeners with an Acorn plugin

20. The Research Steps • Log each postMessage listener found into

    local elasticsearch

21. THE RESULTS Part IV

22. React Dev Tools • Have got postMessage protection just recently

    by an external PR:

23. React Dev Tools • Prior to the fix message was

    validated by just checking a special property (which is user controlled):

24. Ember Inspector • No origin validation, but, luckily, data does

    not reach sensitive parts.

25. AngularJS Batarang (Angular v1.x) • Developers have no clue how

    to validate origin

26. Augury (Angular v2.x) • Again, origin validation is just checking

    a magic string

27. Augury (Angular v2.x) • Augury employs interesting message serialization:

28. Augury (Angular v2.x) • XSS on any website with the

    extension installed

29. Augury (Angular v2.x)

30. LanSweeper Shell Execute

31. LanSweeper Shell Execute

32. LanSweeper Shell Execute

33. THE TAKEAWAYS Part V

34. The takeaways • For users: – do not install shady

    extensions from unknown publishers – check requested permissions

35. The takeaways • For developers: – pay attention to origin

    validation in message listeners – consider origin bypass tricks – do not rely on magic strings

36. The takeaways • For browsers: – should provide built-in origin

    validation – see getMessage proposal by @homakov

37. Thank you!