1. CSC 495/583 Topics of Software Security Web Browser Security (2)
Class16
CSC 495/583 Topics of Software Security Web Browser Security (2)
Dr. Si Chen

2. Internet Explorer Logical Components

3. Chrome Logical Components

4. Edge Logical Components

5. Web Technologies supported by Browsers

6. Google Chrome Bug Bounty Rewards

7. Review: UI Spoof

8. THE LINE OF DEATH (LoD)
In web browsers, the browser itself usually fully controls the top of the window, while pixels under the top are under control of the site. 
If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re goanna die.

9. Zone of Death
The bigger problem is that some attacker data is allowed above the LoD; while trusting the content below the LoD will kill your security, there are also areas of death above the line.
A more accurate Zones of Death map might look like this:

10. CVE
RTL character in URL flips domain and path (Android 4.2 and earlier)

12. Status Bar Spoofing

13. Document object model (DOM)
Data structure manipulated by JavaScript
web page in HTML is structured data
DOM provides representation of this hierarchy
Examples
Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ]
Methods: document.write(document.referrer)
Also Browser Object Model (BOM)
Window, Document, Frames[], History, Location, Navigator (type and version of browser)

14. Browser and document tree structure
W3C standard differs from models supported in existing browsers

16. Components of browser security policy

17. Components of browser security policy
Frame-Frame relationships
canScript(A,B)
Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B?
canNavigate(A,B)
Can Frame A change the origin of content for Frame B?
Frame-principal relationships
readCookie(A,S), writeCookie(A,S)
Can Frame A read/write cookies from site S?
Security indicator (lock icon)
securityIndicator(W)
Is the security indicator displayed for window W?

18. Generally misunderstood
Often simply stated as “same origin policy”
This usually just refers to the canScript relation
Full policy of current browsers is complex
Evolved via “penetrate-and-patch”
Different features evolved slightly different policies
Common scripting and cookie policies:
canScript considers: scheme, host, and port
canReadCookie considers: scheme, host, and path
canWriteCookie considers: host

19. Cross-frame scripting
canScript(A,B)
Only if Origin(A) = Origin(B)
Where origin of a frame is the scheme, host, and network port from which it was loaded
This is the basic Same-Origin Policy (SOP)
Some details
Some properties can be read anyway
Example: A can read size of B, if A is the parent of B in the DOM hierarchy

20. Cross-Frame Navigation
Who decides a frame’s content?
Permissive policy is used in some browsers; not a great idea
A frame can navigate any frame
Permissive Policy

21. Guninski Attack awglogin
window.open(" "awglogin")
window.open("
If bad frame can navigate good frame, attacker gets password

22. frames in its own window
A frame can navigate
frames in its own window
Window Policy

23. Gadget Hijacking
top.frames[1].location = "
top.frames[2].location = "
...

24. Gadget Hijacking

25. Browser Extensions

27. Web Extension Architecture Overview
A Web Extension has a very similar structure to the one found for HTML websites handling folders and their respective data.
The extension file itself is nothing but a compressed folder structure containing HTML files, JavaScript, HTML, CSS, images, audio, and so on

28. CHROME EXTENSIONS

29. CHROME EXTENSIONS

30. WEB ATTACKER servers servers client-side website extension client-side
browser API
history bookmarks
website
WEB ATTACKER

31. WEB ATTACKER servers servers client-side website extension client-side
browser API
history bookmarks
website
WEB ATTACKER

32. NETWORK ATTACKER servers servers client-side website extension
browser API
history bookmarks
NETWORK ATTACKER

33. NETWORK ATTACKER servers servers client-side website extension
browser API
history bookmarks
NETWORK ATTACKER

34. CHROME’S SECURITY MECHANISMS

35. PRIVILEGE SEPARATION servers servers client-side website
content script
core extension
extension
browser API
history bookmarks
PRIVILEGE SEPARATION

36. ISOLATED WORLDS servers servers content script core extension
client-side website
content script
extension
client-side website
browser API
history bookmarks
ISOLATED WORLDS

37. PERMISSIONS servers server server content script core extension
client-side website
extension
client-side website
browser API
history bookmarks
PERMISSIONS

38. FINDING BUGS SAMPLE METHODS VERIFICATION
50 most popular + 50 random extensions
METHODS
Black-box testing + source code analysis
VERIFICATION
Built exploits to confirm the vulnerabilities

39. VULNERABLE EXTENSIONS
Popular
Random
Total 22 18 40
VULNERABLE EXTENSIONS

40. Example. The Speeddial extension replicates Chrome’s built-in list of recently closed pages. Speeddial keeps track of the tabs opened using the tabs manager and does not sanitize the titles of these pages before adding them to the HTML of one of its core extension pages. If a title were to contain an inline script, it would execute with the core extension’s permissions.
EXAMPLE: SPEED DIAL

41. ISOLATED WORLDS

42. Need for isolation
If Googkle can script other windows, then can steal passwords, post fraudulent bank or retail transactions, etc., etc.

43. Need for isolation - mashups

44. Need for isolation - advertisements

45. Browser and document tree structure
W3C standard differs from models supported in existing browsers

46. Vulnerability count: 3 content script vulns

47. DATA AS HTML MISTAKE MITIGATION VULNERABILITIES
Insert data as HTML, where it can execute
MITIGATION
Will execute in website’s isolated world
VULNERABILITIES
6 extensions have data-as-HTML bugs that
don’t cause content script vulnerabilities

48. EVAL MISTAKE MITIGATION VULNERABILITIES
Use eval to execute untrusted data
MITIGATION
Isolated worlds does not mitigate this bug
VULNERABILITIES
2 vulnerabilities due to this mistake

49. CLICK INJECTION MISTAKE MITIGATION VULNERABILITIES
Trusting event handlers on a website
MITIGATION
Isolated worlds does not mitigate this bug
VULNERABILITIES
1 vulnerability due to this mistake

50. Isolated worlds is highly effective because it mitigates common bugs

51. PRIVILEGE SEPARATION

52. Privilege separation: protect core extensions

53. PRIVILEGE SEPARATION client-side website content script core extension
browser API
history bookmarks
PRIVILEGE SEPARATION

54. Vulnerability count: 50 core extension vulns

55. METADATA ATTACK servers core content script client-side website
extension
extension
browser API
history bookmarks
METADATA ATTACK

56. Example. The Speeddial extension replicates Chrome’s built-in list of recently closed pages. Speeddial keeps track of the tabs opened using the tabs manager and does not sanitize the titles of these pages before adding them to the HTML of one of its core extension pages. If a title were to contain an inline script, it would execute with the core extension’s permissions.
EXAMPLE: SPEED DIAL

57. HTTP SCRIPTS/XHRS servers core extension content script
client-side website
content script
core extension
extension
browser API
history bookmarks
HTTP SCRIPTS/XHRS

58. PERMISSIONS

59. Javascript Security Model
“Sandbox” design
No direct file access, restricted network access
Same-origin policy
Frame can only read properties of documents and windows from same place: server, protocol, port
However, this does not apply to
Script loaded in enclosing frame from arbitrary site
This script runs as if it were loaded from the site that provided the page!
<script type="text/javascript">
src="
</script>
Reference:

60. Cross-Origin XMLHttpRequest
Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy.
Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.

61. Permissions: limit the scope of core vulnerabilities

62. PERMISSION RATE None 15% Low High 44% 11% Medium 30%
27 buggy extensions
PERMISSION RATE

63. Reduces potential for severe attacks by half

64. RATE COMPARISON None 15% Low High 44% 11% Medium 30% None 1% Low 12%
with bugs
others
RATE COMPARISON

65. No correlation between bugs and permissions

66. Yes, permissions limit the scope of vulnerabilities