0:00:00.000,0:00:00.500
*36C3 preroll music*

0:00:00.500,0:00:23.200
Herald: The next speaker works as a[br]security consultant at Payatu software

0:00:23.200,0:00:28.180
labs, and he loves finding security flaws[br]in the Microsoft Edge browser. And

0:00:28.180,0:00:33.400
incidentally, this is the topic for this[br]next talk. So please give a big round of

0:00:33.400,0:00:35.109
applause to Nikhil Mittal.

0:00:35.109,0:00:35.155
*applause*

0:00:35.155,0:00:49.870
Nikhil Mittal: So, welcome to the talk:[br]Breaking Microsoft Edge Extensions

0:00:49.870,0:00:55.900
Security Policies. My name is Nikhil, I[br]work at Payatu Labs. And I am into web

0:00:55.900,0:01:01.060
browser vulnerability research. So to[br]start with this presentation, I would like

0:01:01.060,0:01:06.850
to know how many of you uses browser[br]extensions in general, like... Oh, nice.

0:01:06.850,0:01:13.660
So many of us. OK. So a browser extension[br]is something that extends the

0:01:13.660,0:01:18.820
functionality of your web browsers. We[br]have a typical examples like Adblock Plus,

0:01:18.820,0:01:25.660
which I think most of the people uses to[br]block the ads on some certain sites like

0:01:25.660,0:01:32.470
YouTube. And Grammarly and some sort of[br]password managers as well. So these

0:01:32.470,0:01:37.930
extensions are capable of managing most of[br]your data because they can handle the

0:01:37.930,0:01:44.200
cookies, bookmarks, storage, passwords,[br]history and what not. So that being said,

0:01:44.200,0:01:49.870
we all have to agree on a point that these[br]extensions are powerful, because they can

0:01:49.870,0:01:54.730
deal with your cookies, bookmarks and[br]other sensitive information in the

0:01:54.730,0:02:03.760
browsers. So here is how simple AdBlock[br]Plus extension looks like on Microsoft

0:02:03.760,0:02:10.600
Edge, which is pretty much doing its job.[br]Now. Have you ever tried to figure out

0:02:10.600,0:02:17.830
what this extension is capable of doing in[br]your browser? So if you look at the

0:02:17.830,0:02:23.440
settings. Here we have a couple of[br]permissions, which I've listed down on the

0:02:23.440,0:02:29.950
next slide. So it's simple Adblock Plus[br]extension, can read and change content on

0:02:29.950,0:02:34.630
websites that you visit. It can read and[br]change your favorites. It can see the

0:02:34.630,0:02:39.340
websites you visit. It can read and change[br]anything you send or receive. And it can

0:02:39.340,0:02:44.440
also store personal browsing data on your[br]browser and it can also display

0:02:44.440,0:02:50.560
notifications as well. So there are so[br]many things a simple Adblock Plus

0:02:50.560,0:02:57.940
extension can able to do in your browser.[br]So you might ask like how browsers

0:02:57.940,0:03:03.550
recognize these permissions, like a[br]extension is able to do so many things in

0:03:03.550,0:03:07.990
my browser. But how does browser recognize[br]like where are these permissions coming

0:03:07.990,0:03:16.720
from? So here is a permission modeling[br]browser extensions. So under the source of

0:03:16.720,0:03:23.140
every extensions, we have a file called as[br]manifest.json and inside of manifest.json

0:03:23.140,0:03:30.220
file we have a permission area. So, here's[br]a quick example of a permission area,

0:03:30.220,0:03:37.030
where we have some permissions. So the[br]first one is a https://www.google.com,

0:03:37.030,0:03:42.190
which we'll see right after this slide.[br]The next permission we have is bookmarks

0:03:42.190,0:03:49.810
and cookies, history, storage and tabs. So[br]let's suppose an extension has a

0:03:49.810,0:03:54.490
permissions with the bookmarks and[br]cookies. So that means that extension can

0:03:54.490,0:03:59.500
handle your bookmarks. It can manipulate[br]them. It can edit them. It can remove them

0:03:59.500,0:04:03.940
and what not. So the same goes with the[br]cookies, history as well. And there are

0:04:03.940,0:04:12.910
other important permissions as well[br]available for the browsers. So apart from

0:04:12.910,0:04:19.480
these permissions, the most interesting[br]permission that I was looking for is the

0:04:19.480,0:04:23.260
host access permissions. So the host[br]access permission is something that

0:04:23.260,0:04:28.450
defines on which certain domains your[br]browser extensions should able to run. So

0:04:28.450,0:04:32.743
in this case, let's suppose we have[br]assigned a permissions to a

0:04:32.743,0:04:39.940
https://www.google.com. So that means this[br]extension should able to run on Google.com

0:04:39.940,0:04:45.460
only, not even the subdomain that is[br]developer.google.com or mail.google.com.

0:04:45.460,0:04:51.490
So this you can also verify with the tiny[br]box that says this is allowed to read and

0:04:51.490,0:04:58.240
change content on some sites[br]www.google.com. Now the second permission

0:04:58.240,0:05:05.170
we could have in this here is[br]https://*.google.com. So basically this

0:05:05.170,0:05:11.500
also covers the subdomains as well. And[br]the third possible permission we can have

0:05:11.500,0:05:19.510
is *://*.google.com. So basically this is[br]now not only I'll work on google.com, but

0:05:19.510,0:05:26.230
basically on all the protocols as well,[br]which is HTTP, HTTPS, might be FTP. That

0:05:26.230,0:05:32.380
belongs to the particular domain. So apart[br]from these three permissions, we have the

0:05:32.380,0:05:37.900
another permission in the roll, which is[br]. This permission is so special

0:05:37.900,0:05:44.800
because once a browser extension is[br]assigned to all_urls permissions that can

0:05:44.800,0:05:50.110
execute Javascript code on every domain[br]that you visit. So let's suppose you are

0:05:50.110,0:05:55.450
on google.com or maybe you're on bing.com[br]or anything else it will work on most

0:05:55.450,0:06:03.850
probably on every domain. But there are[br]few restrictions with the all_urls

0:06:04.360,0:06:10.330
permissions. That is, it cannot run on[br]privileged pages. So if privileged pages

0:06:10.330,0:06:16.270
in browser is something that contains some[br]sort of sensitive settings on your browser

0:06:16.270,0:06:22.450
data, so you might heard of[br]chrome://settings, which contains the

0:06:22.450,0:06:28.150
password manager for Chrome. And also you[br]can identify the credit card and debit

0:06:28.150,0:06:34.420
card information on chrome://settings as[br]well. So you can imagine a situation once

0:06:34.420,0:06:39.490
the extension is able to run a Javascript[br]code on Chrome setting page then it can

0:06:39.490,0:06:44.350
probably read, or it can steal all of your[br]passwords and credit and debit card

0:06:44.350,0:06:49.630
information as well. So on the Edge, we[br]have a similar page, which is about:flags.

0:06:50.230,0:06:59.240
So here you can see one extension with[br] permission is assigned. It can

0:06:59.240,0:07:06.110
read and change content on websites you[br]visit. As for the Edge. So here's a quick

0:07:06.110,0:07:11.750
snap of about:flags in Edge. And so if you[br]look at the first part, you will figure

0:07:11.750,0:07:17.120
out there are a few embedded permissions.[br]Like you can enable Adobe Flash Player.

0:07:17.120,0:07:23.570
You can also enable developer features.[br]And also you can enable and disable allow

0:07:23.570,0:07:28.730
an unrestricted memory consumption for the[br]Web pages as well. And it also has some

0:07:28.730,0:07:33.500
standard previews features, like you can[br]enable / disable some experimental

0:07:33.500,0:07:37.700
Javascript features as well. So now you[br]can imagine what the sensitivity of this

0:07:37.700,0:07:45.560
page contains, okay? So let's quickly[br]build an extension. So that will break

0:07:45.560,0:07:51.290
most of the things in Edge. So as I said,[br]every extension has a manifest.json file

0:07:51.290,0:07:58.430
which has all the permission and other[br]configurations. The second file that we

0:07:58.430,0:08:03.980
will be needing is popup.html. So[br]popup.html is nothing, but it's just

0:08:03.980,0:08:08.330
interface for the browser extension. So[br]basically you might have noticed as soon

0:08:08.330,0:08:13.490
as you click on any of the browser[br]extension, a pop up appears on your window

0:08:13.490,0:08:18.920
for that contain some sort of functions.[br]That is nothing but just a popup.html

0:08:18.920,0:08:25.130
file. And then again we have a popup.js[br]which has all the Javascript code that

0:08:25.130,0:08:32.390
executes according to the actions chosen[br]by the popup.html. So this is how our

0:08:32.390,0:08:38.870
extension should have looked. And on the[br]edge. So we have seen a tiny Microsoft

0:08:38.870,0:08:44.630
logo and as soon as you click on it, a[br]popup will appear. It says, I am the evil

0:08:44.630,0:08:49.910
extension and I have two options. The[br]first one is open. The second one is

0:08:49.910,0:08:54.920
execute. So as soon as you click on the[br]open button, what it does is it will load

0:08:54.920,0:08:59.720
google.com on the browser. And as soon as[br]you click on the execute button, it will

0:08:59.720,0:09:05.300
just alert(1) for you. So basically. So[br]basically the interface is written in

0:09:05.900,0:09:11.300
popup.html. And again, as soon as you[br]click on execute, so the work is done by

0:09:11.300,0:09:17.390
popup.js. So let's quickly look at the[br]source code for the manifest.json file.

0:09:17.390,0:09:23.600
The thing to notice here is that you can[br]figure out the permission area on line

0:09:23.600,0:09:30.650
number 10, which is set to[br]http://www.google.com. That means it's

0:09:30.650,0:09:35.870
clear that this extension should be able[br]to run on google.com only. I mean not on

0:09:35.870,0:09:43.580
the subdomains even. So here's the source[br]code for the popup.html, which is just a

0:09:43.580,0:09:47.780
simple HTML file that has two buttons. The[br]first one is open, the second one is

0:09:47.780,0:09:56.150
execute. And it has a popup.js at the end.[br]So here we have the popup.js. So in very

0:09:56.150,0:10:01.310
brief manner. What it does is as soon as[br]you click on the open button, it loads

0:10:01.310,0:10:06.230
google.com. And as soon as you click on[br]the execute button, it calls the

0:10:06.230,0:10:15.980
JavaScript. It alerts document.domain for[br]you. So there are so many APIs available

0:10:15.980,0:10:20.960
for the browser extensions that you can[br]use like history API and some sort of

0:10:20.960,0:10:28.460
proxys API, tabs API. But for me this tabs[br]API was so interesting because it allows

0:10:28.460,0:10:36.440
you to play with different tabs like it[br]has some function, methods inside, like

0:10:37.370,0:10:42.170
tabs.create. So what it does is it allows[br]you to create a new tab with any arbitrary

0:10:42.170,0:10:48.770
domain and it also has tabs.update. And[br]what it does is it allows you to update

0:10:48.770,0:10:53.705
the page with the next URI. And[br]tabs.duplicate is also important because

0:10:53.705,0:11:00.567
it allows you to make a exact replica of[br]an already open tab. The next method is

0:11:00.567,0:11:07.097
tabs.executeScript. So this is pretty[br]simple. This allows you to execute

0:11:07.097,0:11:12.784
JavaScript code and tabs.hide and[br]tabs.reload, which is pretty easy. And

0:11:12.784,0:11:19.000
there are so many other methods as well.[br]So out of them. The most interesting one

0:11:19.000,0:11:24.375
for me was create and update and also the[br]duplicate method. So let's say if you want

0:11:24.375,0:11:31.160
to load a new. So let's say if you want to[br]load bing.com on a new tab using a browser

0:11:31.160,0:11:37.900
extension so you can just write this five[br]lines of code that calls

0:11:37.900,0:11:44.875
browser.tabs.create. And then it passes a[br]URL which is https www.google.com. So this

0:11:44.875,0:11:51.867
is as far as the documentation and this is[br]for the good boys like not for us. So as

0:11:51.867,0:11:58.766
an evil mind, like I was interested to[br]know, like what would happen if I tried to

0:11:58.766,0:12:05.473
load local files instead of a normal[br]domain? So then I replaced the bing URL

0:12:05.473,0:12:13.171
with a particular local file URI to try to[br]figure out like how browser will treat it.

0:12:13.171,0:12:19.180
Will it open it or not? So so the next[br]moment Edge gives me this nice error.

0:12:19.180,0:12:24.708
Like, ok, I can't reach this page and you[br]make sure you have got the right web

0:12:24.708,0:12:30.175
address. That is ms-browser-extension and[br]then the part for the extension and it

0:12:30.175,0:12:35.221
appends the file URI part in the last. So[br]basically is assumes that this is a

0:12:35.221,0:12:40.135
relative path and I'm going to add it with[br]the extension path and I'm going to try

0:12:40.135,0:12:47.378
and I'm going to open it. So since that[br]particular path doesn't exist, it gives us

0:12:47.378,0:12:55.255
an error. So this is not a thing with the[br]extension as well. But this is in general

0:12:55.255,0:13:00.043
like any of the browser. They don't allow[br]you to load local files at any cost

0:13:00.043,0:13:05.525
because this might lead an issue to steal[br]your local systems files so you can see

0:13:05.525,0:13:10.281
the image and the Edge and Chrome[br]browsers. So here I am trying to load

0:13:10.281,0:13:16.157
local files using the Javascript. So every[br]time it says okay, we are not allowed to

0:13:16.157,0:13:23.438
do that because we care about our users[br]and we will protect them. So since we

0:13:23.438,0:13:29.746
figured out this browser.tabs.create[br]method was not working for us, the next

0:13:29.746,0:13:36.866
method that I was looking for the update.[br]So I tried the same thing with the update

0:13:36.866,0:13:43.836
method and somehow it worked for me. So[br]next. Once I figured out, okay, now I can

0:13:43.836,0:13:50.117
load the local files. Now I want to load[br]the privileged pages because they're also

0:13:50.117,0:13:55.568
interesting for me. And it was also[br]working fine for me at the moment. So here

0:13:55.568,0:14:00.921
you can see as well as you click on the[br]open button browser load, say local file

0:14:00.921,0:14:07.664
for me and also a privilege page on Edge.[br]So I've reported this back to Microsoft,

0:14:07.664,0:14:14.231
but, and they quickly responded back to me[br]saying we don't support download API. So

0:14:14.231,0:14:19.075
even if you load the local files, you have[br]no way to steal it. Like, you literally

0:14:19.075,0:14:24.445
cannot do anything by loading the local[br]files. And we are not going to fix it. So

0:14:24.445,0:14:30.415
I said, okay, let's do it another way. So[br]the next moment the idea came to my mind

0:14:30.415,0:14:36.079
is to use the JavaScript URI. A JavaScript[br]URI is something that start with the

0:14:36.079,0:14:41.830
Javascript protocol. It has a particular[br]syntax like first javascript and then

0:14:41.830,0:14:48.131
colon and then the Javascript code. Here[br]we have a simple examples like as soon as

0:14:48.131,0:14:53.587
the a href javascript:alert(1), it gets[br]rendered in the browser and you click on

0:14:53.587,0:14:59.460
the test, a Javascript code will pop up on[br]your browser. So the good thing about the

0:14:59.460,0:15:05.562
JavaScript URI is that they execute in the[br]main domains reference unlike the data

0:15:05.562,0:15:11.397
URIs. So you can look into the image. We[br]have javascript URI and the data URIs as

0:15:11.397,0:15:15.533
well, that points to alert[br]document.domain. And one Javascript URI

0:15:15.533,0:15:20.984
says I'm on htmleditor.squarefree.com.[br]While the data URI said the null domain.

0:15:20.984,0:15:27.767
So basically the data URI was supposed to[br]execute on the main domains reference a

0:15:27.767,0:15:33.007
couple of years back, but then it creates[br]a lot of mess with the browser. So browser

0:15:33.007,0:15:38.625
vendors they decided to execute in the[br]null domain reference to just to make it

0:15:38.625,0:15:44.920
do the safe. So at this point of time I[br]decided, ok Javascript URIs are like the

0:15:44.920,0:15:52.952
best candidate for us, so why not try it?[br]So I've tried the same Javascript URI with

0:15:52.952,0:16:04.020
browser.tabs.create and again, it was, it[br]doesn't work for me. But again, we have a

0:16:04.020,0:16:10.576
friend called dot update method. I tried[br]the same thing with the JavaScript URI

0:16:10.576,0:16:14.171
that points to browser.tabs.update, which[br]again calls

0:16:14.171,0:16:20.203
javascript:alert(document.domain). And it[br]worked for me this time. So you can figure

0:16:20.203,0:16:25.333
it out with this picture. This extension[br]should have able to run on Google dot com.

0:16:25.333,0:16:29.683
Now we are on a big dot com and if you[br]click on the open button, we have a

0:16:29.683,0:16:35.515
Javascript code execution on bing.com.[br]This is how bad it was, because that's a

0:16:35.515,0:16:41.680
total violation of the privacy, because[br]the user believes that this extension

0:16:41.680,0:16:47.857
shouldn't be able to run on the other[br]domain, except the google.com. So this was

0:16:47.857,0:16:54.355
again reported to the Microsoft saying,[br]okay. So in the last time I reported like

0:16:54.355,0:16:59.484
I'm able to load the local files, but you[br]said I'm not going to fix it. And now we

0:16:59.484,0:17:04.999
have a JavaScript code execution as well.[br]So then again, they said: Okay, like we

0:17:04.999,0:17:10.158
got your concern. We understand what[br]you're trying to say, but can you also

0:17:10.158,0:17:16.696
alert users's cookies as well? Like, is it[br]possible to steal the user's cookies? Then

0:17:16.696,0:17:21.280
I said, okay, why not? So instead of[br]document or domain, you can just use

0:17:21.280,0:17:28.828
document.cookie to pop up users cookies as[br]well. So. Since we have host access

0:17:28.828,0:17:37.417
permission bypass on Edge so we can steal[br]Google e-mails, even Facebook data or

0:17:37.417,0:17:42.837
anything like that. So to demonstrate this[br]attack, let's suppose we have a simple

0:17:42.837,0:17:47.788
Google E-mail. It says, I'm a secret[br]e-mail and I have some coupon code for

0:17:47.788,0:17:53.353
thousand dollar cashback. And then there[br]we have some random coupon code. So to

0:17:53.353,0:17:59.260
demonstrate this attack, you can see I'm[br]using browser.tabs.update that points to a

0:17:59.260,0:18:05.511
certain Javascript URI and what it does is[br]it fetches the particular e-mail with the

0:18:05.511,0:18:12.684
particular ID and opens a new tab and send[br]it to the leak.html. And further, what

0:18:12.684,0:18:21.321
leak.html does is it copies the value from[br]location.hash and write it onto the page.

0:18:21.321,0:18:27.549
So as soon as you click on the open[br]button, if you are on mail.google.com, it

0:18:27.549,0:18:32.133
will steal the particular e-mail and[br]display it back on the attackers domain.

0:18:32.133,0:18:37.554
So this is how I was able to steal the[br]google e-mails. So this proof of concept

0:18:37.554,0:18:43.177
was sent to the Microsoft and the same[br]thing with the local files as well. Like I

0:18:43.177,0:18:48.330
thought, okay, now it's working for the[br]domain. Now what if we tried with the same

0:18:48.330,0:18:54.005
thing with the local files as well? So[br]yeah, in this case it was, it worked as

0:18:54.005,0:18:59.377
well. So if you remember in the last in[br]the past when we were able to load local

0:18:59.377,0:19:03.907
files, but Microsoft says, OK, we are not[br]going to fix it because we don't support

0:19:03.907,0:19:08.962
download API. And now we have a Javascript[br]code execution on local files as well. So

0:19:08.962,0:19:14.345
we can chain both of these bugs to steal[br]the local files as well. So here's a

0:19:14.345,0:19:20.823
simple proof of concept. So at first what[br]we are doing is browser.tabs.update that

0:19:20.823,0:19:26.620
points to a file URI. And again,[br]browser.tabs.update that points to a

0:19:26.620,0:19:34.985
javascript URI. So Microsoft was like, OK.[br]Now we have to fix. But what is next? So

0:19:34.985,0:19:43.310
so far we have Javascript code execution[br]on local files. We also have host access

0:19:43.310,0:19:49.583
permission bypass. Now what is next? So[br]the next thing that came to my mind is

0:19:49.583,0:19:55.063
always the privilege pages, as I already[br]explained the sensitivity of the

0:19:55.063,0:20:00.815
privileged pages. So the next moment I was[br]so excited that this will work on the

0:20:00.815,0:20:06.526
privileged pages as well. So again, I[br]wrote this five line of code and tried to

0:20:06.526,0:20:12.116
execute in reference to about:flags. And[br]surprisingly, it was not, it wasn't

0:20:12.116,0:20:17.340
working for me. And I was so surprised,[br]like why this is not working and like

0:20:17.340,0:20:22.898
shaking my head, like, what is wrong? So[br]the next moment I was trying to figure out

0:20:22.898,0:20:27.650
what is wrong with this implementation,[br]like why it is not working. Maybe there

0:20:27.650,0:20:31.812
are some errors in the console. So I try[br]to open the developer console to figure

0:20:31.812,0:20:37.041
out the possible errors. But you can see[br]there is no such errors at all. So the

0:20:37.041,0:20:43.305
reason for that is most of the pages like[br]the sensitive pages in the browsers like

0:20:43.305,0:20:47.775
Chrome, Firefox and even in Edge are[br]protected by the CSP to make sure there

0:20:47.775,0:20:51.694
shouldn't be any JavaScript code[br]execution. But we cannot see any CSP

0:20:51.694,0:20:57.110
errors here as well, which was pretty[br]strange for me. So then again, I asked to

0:20:57.110,0:21:03.200
myself, like, why this black magic is not[br]working on privileged pages. Even when we

0:21:03.200,0:21:09.958
don't have the CSP error, maybe this time[br]Edge is playing smart. Do we have any

0:21:09.958,0:21:17.912
other way to load about:flags in Edge?[br]Then the next idea that came to my mind is

0:21:17.912,0:21:24.215
to use the res protocol. So res protocol[br]is something that is used to fetch some

0:21:24.215,0:21:31.056
sort of resources from a module. So[br]instead of about:flags, we can call

0:21:31.056,0:21:43.900
res://edgehtml.dll/flag.htm and the next[br]moment it worked. So...

0:21:43.900,0:21:48.915
*applause*

0:21:48.915,0:21:53.848
Mittal: So this way we have now Javascript[br]code execution on privileged pages as

0:21:53.848,0:21:58.895
well, which is pretty bad. So once you[br]have Javascript code execution on

0:21:58.895,0:22:05.218
privileged pages, you can enable and[br]disable Adobe Flash Player and there are

0:22:05.218,0:22:10.967
other methods, other possible options[br]which we have already discussed, can also

0:22:10.967,0:22:15.559
be possible with the same type, with the[br]same thing. So again, what we need to do

0:22:15.559,0:22:22.327
is to call browser.tabs.update that points[br]to edgehtml.dll/flags.htm. And again, a

0:22:22.327,0:22:30.155
file, again some sort of javascript URI to[br]fetch, get element by ID and then click on

0:22:30.155,0:22:37.250
it. So it will toggle the Adobe Flash[br]Player setting on the Edge. Again, what is

0:22:37.250,0:22:44.130
next? So this was pretty enough for me.[br]But again, like I was trying to figure out

0:22:44.130,0:22:50.495
if we can do something else as well. And[br]then I start with the reading mode. So a

0:22:50.495,0:22:56.654
reading more is a feature implemented in[br]Edge, which renders a page in a way that

0:22:56.654,0:23:01.571
is like kind of pretty easy to read. So in[br]this process, Edge makes sure that there

0:23:01.571,0:23:07.378
shouldn't be any Javascript code execution[br]on the page. The main purpose for reading

0:23:07.378,0:23:12.898
mode is that to provide the users, to[br]provide a simplified page to the users. So

0:23:12.898,0:23:16.858
basically there should not be any[br]advertisement or something like that. So

0:23:16.858,0:23:20.576
for that reason, browser vendors, they[br]make sure there shouldn't be any

0:23:20.576,0:23:26.149
Javascript code execution on reading mode.[br]And there was one bug with the reading

0:23:26.149,0:23:32.990
mode as well, like you cannot put any[br]document in the reader mode until unless

0:23:32.990,0:23:40.205
browser identified its compatibility. But[br]you can append the read: protocol in the

0:23:40.205,0:23:46.437
in the first and then the URL that points[br]to some sort of domain and then Edge will

0:23:46.437,0:23:51.693
load the particular resources in the[br]reading mode as well. So fortunately, I

0:23:51.693,0:23:57.473
tried the same attack on the reading mode[br]as well. But since the reading more was

0:23:57.473,0:24:03.050
protected with their certain CSP and then,[br]so you can see the CSP error. It says we

0:24:03.050,0:24:09.204
do not allow inline script and it really[br]blocked by the Edge. So reading mode was

0:24:09.204,0:24:15.746
kind of safe, at least for the test cases,[br]but in some certain test cases it worked

0:24:15.746,0:24:22.130
for me, but I was not able to I was not[br]able to reproduce it further. So that's

0:24:22.130,0:24:27.612
why I marked it as safe. The other[br]possible features we can have is the

0:24:27.612,0:24:32.391
Javascript code execution on other[br]extension pages. Like again, you can

0:24:32.391,0:24:37.805
imagine a situation: We have... You can[br]imagine a situation when one extension is

0:24:37.805,0:24:42.981
able to disable another extension in[br]browser, like how bad it will be. So

0:24:42.981,0:24:48.635
again, now we are on a internal page that[br]belongs to Adblock Plus. And if we tried

0:24:48.635,0:24:56.147
to run our extension on this page, then[br]again, we have a CSP violation issues. So

0:24:56.147,0:25:03.472
that was safe. The next thing was some CSP[br]privilege issues because the host

0:25:03.472,0:25:09.586
permission will not work if there is any[br]CSP error. So next, I tried to figure out

0:25:09.586,0:25:16.416
if we can use the execute script API to[br]figure out how to deal with the CSP. So

0:25:16.416,0:25:23.747
let's assume we have a page where the CSP[br]is implemented properly and we have a host

0:25:23.747,0:25:30.044
permission for the same. So you can see[br]the code where we are saying the content

0:25:30.044,0:25:35.758
security policy, which is set to default-[br]src self. And we are using

0:25:35.758,0:25:42.035
browser.tabs.executeScript which this code[br]and then where we have to pass the

0:25:42.035,0:25:47.638
JavaScript code, which is a simple[br]alert(document.domain). So the way

0:25:47.638,0:25:56.831
extensions deal with the CSP is that most[br]of the browsers, they will allow

0:25:56.831,0:26:03.245
Javascript from any extensions until[br]unless they will try to change the DOM

0:26:03.245,0:26:09.635
tree of particular documents. So let's[br]suppose we have the first example right

0:26:09.635,0:26:15.944
here. In this case, so as I said, let's[br]assume we are on a page which has a

0:26:15.944,0:26:22.303
perfect CSP in place like this. And we[br]tried to change the DOM for that

0:26:22.303,0:26:29.558
particular page. So the possible base we[br]have is either we can use document.write

0:26:29.558,0:26:35.805
or we can use document.body.innerHTML and[br]then insert the Javascript code. And then

0:26:35.805,0:26:41.505
the other possible way we have is to[br]generate a random element and then write

0:26:41.505,0:26:48.374
inside it. So all these ways to manipulate[br]the particular DOM tree on a CSP protected

0:26:48.374,0:26:54.715
page was not allowed by most of the[br]browsers like Firefox and Chrome, but it

0:26:54.715,0:27:00.927
was not protected in case of Edge like the[br]executeScript API as straightforward as

0:27:00.927,0:27:05.872
execute any of the Javascript code on any[br]domain, whether you try to change on,

0:27:05.872,0:27:12.316
whether you tried to change the DOM on a[br]CSP protected page or not. Like it doesn't

0:27:12.316,0:27:19.290
matter for it. So to conclude with this[br]presentation is that Edge extensions are

0:27:19.290,0:27:26.273
still in development. Most of the APIs are[br]not supported till the time because and

0:27:26.273,0:27:32.100
the Edge that it has moved to the new[br]Chromium based browser as well. So I'm not

0:27:32.100,0:27:37.247
sure whether there is started developing[br]extensions API or not, but the ActiveTab

0:27:37.247,0:27:43.461
is one of the interested permission to[br]work on because it allows you to execute

0:27:43.461,0:27:49.883
Javascript code on the current domain. So[br]if you are able to perform the same sort

0:27:49.883,0:27:55.334
of the same attack of the tabs API as[br]well. So pretty much you can have all what

0:27:55.334,0:28:00.859
I presented here as well. So Microsoft,[br]they finally decided to fix this bug in

0:28:00.859,0:28:08.684
March 19 update with the highest possible[br]bounty they have with the CVE-2019-0678.

0:28:08.684,0:28:14.887
Now, that's it.

0:28:14.887,0:28:21.347
Herald: So thank you, Nikhil for an[br]interesting talk. If you have questions

0:28:21.347,0:28:24.940
about the talk, we have three microphones,[br]one, two and three in each one of the

0:28:24.940,0:28:28.760
aisles. If you have a question, please[br]come to the microphone. We'll start from

0:28:28.760,0:28:33.470
microphone number three.[br]Question: Hi. And thank you for the

0:28:33.470,0:28:42.290
interesting talk. I have one question. Is[br]this back or is this API also relevant for

0:28:42.290,0:28:47.285
the new, for the new Edge coming in[br]January based on Chromium engine?

0:28:47.285,0:28:55.250
Mittal: No, I guess. So the APIs are the[br]same, but since the new Edge is running on

0:28:55.250,0:29:04.220
Chrome so they will not support this API[br]because of they use some others calling

0:29:04.220,0:29:08.810
conventions, I guess, I believe. Does that[br]answer your question?

0:29:08.810,0:29:12.110
Q: Yeah. But I have a second one.[br]Herald: Yeah. Go for it.

0:29:12.110,0:29:20.870
Q: Okay. And the second one is you tried[br]to open the pages via the res Protocol.

0:29:20.870,0:29:28.850
But the functionality of those pages, is[br]it also handled by Edge while opening it

0:29:28.850,0:29:32.600
through the res protocol, not about the[br]about protocol?

0:29:32.600,0:29:36.560
Mittal: Yes, I guess.[br]Q: Okay. They were also working?

0:29:36.560,0:29:38.840
Mittal: Yeah.[br]Q: Okay. Thank you.

0:29:38.840,0:29:45.050
Herald: Any more questions from the crowd[br]or from the internet? Okay. Then another

0:29:45.050,0:29:46.658
round of applause for Nikhil for a great[br]talk.

0:29:46.658,0:30:13.665
*36c3 outro music*