WEBVTT 00:00:00.000 --> 00:00:00.500 *36C3 preroll music* 00:00:00.500 --> 00:00:23.200 Herald: The next speaker works as a security consultant at Payatu software 00:00:23.200 --> 00:00:28.180 labs, and he loves finding security flaws in the Microsoft Edge browser. And 00:00:28.180 --> 00:00:33.400 incidentally, this is the topic for this next talk. So please give a big round of 00:00:33.400 --> 00:00:35.109 applause to Nikhil Mittal. 00:00:35.109 --> 00:00:35.155 *applause* 00:00:35.155 --> 00:00:49.870 Nikhil Mittal: So, welcome to the talk: Breaking Microsoft Edge Extensions 00:00:49.870 --> 00:00:55.900 Security Policies. My name is Nikhil, I work at Payatu Labs. And I am into web 00:00:55.900 --> 00:01:01.060 browser vulnerability research. So to start with this presentation, I would like 00:01:01.060 --> 00:01:06.850 to know how many of you uses browser extensions in general, like... Oh, nice. 00:01:06.850 --> 00:01:13.660 So many of us. OK. So a browser extension is something that extends the 00:01:13.660 --> 00:01:18.820 functionality of your web browsers. We have a typical examples like Adblock Plus, 00:01:18.820 --> 00:01:25.660 which I think most of the people uses to block the ads on some certain sites like 00:01:25.660 --> 00:01:32.470 YouTube. And Grammarly and some sort of password managers as well. So these 00:01:32.470 --> 00:01:37.930 extensions are capable of managing most of your data because they can handle the 00:01:37.930 --> 00:01:44.200 cookies, bookmarks, storage, passwords, history and what not. So that being said, 00:01:44.200 --> 00:01:49.870 we all have to agree on a point that these extensions are powerful, because they can 00:01:49.870 --> 00:01:54.730 deal with your cookies, bookmarks and other sensitive information in the 00:01:54.730 --> 00:02:03.760 browsers. So here is how simple AdBlock Plus extension looks like on Microsoft 00:02:03.760 --> 00:02:10.600 Edge, which is pretty much doing its job. Now. Have you ever tried to figure out 00:02:10.600 --> 00:02:17.830 what this extension is capable of doing in your browser? So if you look at the 00:02:17.830 --> 00:02:23.440 settings. Here we have a couple of permissions, which I've listed down on the 00:02:23.440 --> 00:02:29.950 next slide. So it's simple Adblock Plus extension, can read and change content on 00:02:29.950 --> 00:02:34.630 websites that you visit. It can read and change your favorites. It can see the 00:02:34.630 --> 00:02:39.340 websites you visit. It can read and change anything you send or receive. And it can 00:02:39.340 --> 00:02:44.440 also store personal browsing data on your browser and it can also display 00:02:44.440 --> 00:02:50.560 notifications as well. So there are so many things a simple Adblock Plus 00:02:50.560 --> 00:02:57.940 extension can able to do in your browser. So you might ask like how browsers 00:02:57.940 --> 00:03:03.550 recognize these permissions, like a extension is able to do so many things in 00:03:03.550 --> 00:03:07.990 my browser. But how does browser recognize like where are these permissions coming 00:03:07.990 --> 00:03:16.720 from? So here is a permission modeling browser extensions. So under the source of 00:03:16.720 --> 00:03:23.140 every extensions, we have a file called as manifest.json and inside of manifest.json 00:03:23.140 --> 00:03:30.220 file we have a permission area. So, here's a quick example of a permission area, 00:03:30.220 --> 00:03:37.030 where we have some permissions. So the first one is a https://www.google.com, 00:03:37.030 --> 00:03:42.190 which we'll see right after this slide. The next permission we have is bookmarks 00:03:42.190 --> 00:03:49.810 and cookies, history, storage and tabs. So let's suppose an extension has a 00:03:49.810 --> 00:03:54.490 permissions with the bookmarks and cookies. So that means that extension can 00:03:54.490 --> 00:03:59.500 handle your bookmarks. It can manipulate them. It can edit them. It can remove them 00:03:59.500 --> 00:04:03.940 and what not. So the same goes with the cookies, history as well. And there are 00:04:03.940 --> 00:04:12.910 other important permissions as well available for the browsers. So apart from 00:04:12.910 --> 00:04:19.480 these permissions, the most interesting permission that I was looking for is the 00:04:19.480 --> 00:04:23.260 host access permissions. So the host access permission is something that 00:04:23.260 --> 00:04:28.450 defines on which certain domains your browser extensions should able to run. So 00:04:28.450 --> 00:04:32.743 in this case, let's suppose we have assigned a permissions to a 00:04:32.743 --> 00:04:39.940 https://www.google.com. So that means this extension should able to run on Google.com 00:04:39.940 --> 00:04:45.460 only, not even the subdomain that is developer.google.com or mail.google.com. 00:04:45.460 --> 00:04:51.490 So this you can also verify with the tiny box that says this is allowed to read and 00:04:51.490 --> 00:04:58.240 change content on some sites www.google.com. Now the second permission 00:04:58.240 --> 00:05:05.170 we could have in this here is https://*.google.com. So basically this 00:05:05.170 --> 00:05:11.500 also covers the subdomains as well. And the third possible permission we can have 00:05:11.500 --> 00:05:19.510 is *://*.google.com. So basically this is now not only I'll work on google.com, but 00:05:19.510 --> 00:05:26.230 basically on all the protocols as well, which is HTTP, HTTPS, might be FTP. That 00:05:26.230 --> 00:05:32.380 belongs to the particular domain. So apart from these three permissions, we have the 00:05:32.380 --> 00:05:37.900 another permission in the roll, which is . This permission is so special 00:05:37.900 --> 00:05:44.800 because once a browser extension is assigned to all_urls permissions that can 00:05:44.800 --> 00:05:50.110 execute Javascript code on every domain that you visit. So let's suppose you are 00:05:50.110 --> 00:05:55.450 on google.com or maybe you're on bing.com or anything else it will work on most 00:05:55.450 --> 00:06:03.850 probably on every domain. But there are few restrictions with the all_urls 00:06:04.360 --> 00:06:10.330 permissions. That is, it cannot run on privileged pages. So if privileged pages 00:06:10.330 --> 00:06:16.270 in browser is something that contains some sort of sensitive settings on your browser 00:06:16.270 --> 00:06:22.450 data, so you might heard of chrome://settings, which contains the 00:06:22.450 --> 00:06:28.150 password manager for Chrome. And also you can identify the credit card and debit 00:06:28.150 --> 00:06:34.420 card information on chrome://settings as well. So you can imagine a situation once 00:06:34.420 --> 00:06:39.490 the extension is able to run a Javascript code on Chrome setting page then it can 00:06:39.490 --> 00:06:44.350 probably read, or it can steal all of your passwords and credit and debit card 00:06:44.350 --> 00:06:49.630 information as well. So on the Edge, we have a similar page, which is about:flags. 00:06:50.230 --> 00:06:59.240 So here you can see one extension with permission is assigned. It can 00:06:59.240 --> 00:07:06.110 read and change content on websites you visit. As for the Edge. So here's a quick 00:07:06.110 --> 00:07:11.750 snap of about:flags in Edge. And so if you look at the first part, you will figure 00:07:11.750 --> 00:07:17.120 out there are a few embedded permissions. Like you can enable Adobe Flash Player. 00:07:17.120 --> 00:07:23.570 You can also enable developer features. And also you can enable and disable allow 00:07:23.570 --> 00:07:28.730 an unrestricted memory consumption for the Web pages as well. And it also has some 00:07:28.730 --> 00:07:33.500 standard previews features, like you can enable / disable some experimental 00:07:33.500 --> 00:07:37.700 Javascript features as well. So now you can imagine what the sensitivity of this 00:07:37.700 --> 00:07:45.560 page contains, okay? So let's quickly build an extension. So that will break 00:07:45.560 --> 00:07:51.290 most of the things in Edge. So as I said, every extension has a manifest.json file 00:07:51.290 --> 00:07:58.430 which has all the permission and other configurations. The second file that we 00:07:58.430 --> 00:08:03.980 will be needing is popup.html. So popup.html is nothing, but it's just 00:08:03.980 --> 00:08:08.330 interface for the browser extension. So basically you might have noticed as soon 00:08:08.330 --> 00:08:13.490 as you click on any of the browser extension, a pop up appears on your window 00:08:13.490 --> 00:08:18.920 for that contain some sort of functions. That is nothing but just a popup.html 00:08:18.920 --> 00:08:25.130 file. And then again we have a popup.js which has all the Javascript code that 00:08:25.130 --> 00:08:32.390 executes according to the actions chosen by the popup.html. So this is how our 00:08:32.390 --> 00:08:38.870 extension should have looked. And on the edge. So we have seen a tiny Microsoft 00:08:38.870 --> 00:08:44.630 logo and as soon as you click on it, a popup will appear. It says, I am the evil 00:08:44.630 --> 00:08:49.910 extension and I have two options. The first one is open. The second one is 00:08:49.910 --> 00:08:54.920 execute. So as soon as you click on the open button, what it does is it will load 00:08:54.920 --> 00:08:59.720 google.com on the browser. And as soon as you click on the execute button, it will 00:08:59.720 --> 00:09:05.300 just alert(1) for you. So basically. So basically the interface is written in 00:09:05.900 --> 00:09:11.300 popup.html. And again, as soon as you click on execute, so the work is done by 00:09:11.300 --> 00:09:17.390 popup.js. So let's quickly look at the source code for the manifest.json file. 00:09:17.390 --> 00:09:23.600 The thing to notice here is that you can figure out the permission area on line 00:09:23.600 --> 00:09:30.650 number 10, which is set to http://www.google.com. That means it's 00:09:30.650 --> 00:09:35.870 clear that this extension should be able to run on google.com only. I mean not on 00:09:35.870 --> 00:09:43.580 the subdomains even. So here's the source code for the popup.html, which is just a 00:09:43.580 --> 00:09:47.780 simple HTML file that has two buttons. The first one is open, the second one is 00:09:47.780 --> 00:09:56.150 execute. And it has a popup.js at the end. So here we have the popup.js. So in very 00:09:56.150 --> 00:10:01.310 brief manner. What it does is as soon as you click on the open button, it loads 00:10:01.310 --> 00:10:06.230 google.com. And as soon as you click on the execute button, it calls the 00:10:06.230 --> 00:10:15.980 JavaScript. It alerts document.domain for you. So there are so many APIs available 00:10:15.980 --> 00:10:20.960 for the browser extensions that you can use like history API and some sort of 00:10:20.960 --> 00:10:28.460 proxys API, tabs API. But for me this tabs API was so interesting because it allows 00:10:28.460 --> 00:10:36.440 you to play with different tabs like it has some function, methods inside, like 00:10:37.370 --> 00:10:42.170 tabs.create. So what it does is it allows you to create a new tab with any arbitrary 00:10:42.170 --> 00:10:48.770 domain and it also has tabs.update. And what it does is it allows you to update 00:10:48.770 --> 00:10:53.705 the page with the next URI. And tabs.duplicate is also important because 00:10:53.705 --> 00:11:00.567 it allows you to make a exact replica of an already open tab. The next method is 00:11:00.567 --> 00:11:07.097 tabs.executeScript. So this is pretty simple. This allows you to execute 00:11:07.097 --> 00:11:12.784 JavaScript code and tabs.hide and tabs.reload, which is pretty easy. And 00:11:12.784 --> 00:11:19.000 there are so many other methods as well. So out of them. The most interesting one 00:11:19.000 --> 00:11:24.375 for me was create and update and also the duplicate method. So let's say if you want 00:11:24.375 --> 00:11:31.160 to load a new. So let's say if you want to load bing.com on a new tab using a browser 00:11:31.160 --> 00:11:37.900 extension so you can just write this five lines of code that calls 00:11:37.900 --> 00:11:44.875 browser.tabs.create. And then it passes a URL which is https www.google.com. So this 00:11:44.875 --> 00:11:51.867 is as far as the documentation and this is for the good boys like not for us. So as 00:11:51.867 --> 00:11:58.766 an evil mind, like I was interested to know, like what would happen if I tried to 00:11:58.766 --> 00:12:05.473 load local files instead of a normal domain? So then I replaced the bing URL 00:12:05.473 --> 00:12:13.171 with a particular local file URI to try to figure out like how browser will treat it. 00:12:13.171 --> 00:12:19.180 Will it open it or not? So so the next moment Edge gives me this nice error. 00:12:19.180 --> 00:12:24.708 Like, ok, I can't reach this page and you make sure you have got the right web 00:12:24.708 --> 00:12:30.175 address. That is ms-browser-extension and then the part for the extension and it 00:12:30.175 --> 00:12:35.221 appends the file URI part in the last. So basically is assumes that this is a 00:12:35.221 --> 00:12:40.135 relative path and I'm going to add it with the extension path and I'm going to try 00:12:40.135 --> 00:12:47.378 and I'm going to open it. So since that particular path doesn't exist, it gives us 00:12:47.378 --> 00:12:55.255 an error. So this is not a thing with the extension as well. But this is in general 00:12:55.255 --> 00:13:00.043 like any of the browser. They don't allow you to load local files at any cost 00:13:00.043 --> 00:13:05.525 because this might lead an issue to steal your local systems files so you can see 00:13:05.525 --> 00:13:10.281 the image and the Edge and Chrome browsers. So here I am trying to load 00:13:10.281 --> 00:13:16.157 local files using the Javascript. So every time it says okay, we are not allowed to 00:13:16.157 --> 00:13:23.438 do that because we care about our users and we will protect them. So since we 00:13:23.438 --> 00:13:29.746 figured out this browser.tabs.create method was not working for us, the next 00:13:29.746 --> 00:13:36.866 method that I was looking for the update. So I tried the same thing with the update 00:13:36.866 --> 00:13:43.836 method and somehow it worked for me. So next. Once I figured out, okay, now I can 00:13:43.836 --> 00:13:50.117 load the local files. Now I want to load the privileged pages because they're also 00:13:50.117 --> 00:13:55.568 interesting for me. And it was also working fine for me at the moment. So here 00:13:55.568 --> 00:14:00.921 you can see as well as you click on the open button browser load, say local file 00:14:00.921 --> 00:14:07.664 for me and also a privilege page on Edge. So I've reported this back to Microsoft, 00:14:07.664 --> 00:14:14.231 but, and they quickly responded back to me saying we don't support download API. So 00:14:14.231 --> 00:14:19.075 even if you load the local files, you have no way to steal it. Like, you literally 00:14:19.075 --> 00:14:24.445 cannot do anything by loading the local files. And we are not going to fix it. So 00:14:24.445 --> 00:14:30.415 I said, okay, let's do it another way. So the next moment the idea came to my mind 00:14:30.415 --> 00:14:36.079 is to use the JavaScript URI. A JavaScript URI is something that start with the 00:14:36.079 --> 00:14:41.830 Javascript protocol. It has a particular syntax like first javascript and then 00:14:41.830 --> 00:14:48.131 colon and then the Javascript code. Here we have a simple examples like as soon as 00:14:48.131 --> 00:14:53.587 the a href javascript:alert(1), it gets rendered in the browser and you click on 00:14:53.587 --> 00:14:59.460 the test, a Javascript code will pop up on your browser. So the good thing about the 00:14:59.460 --> 00:15:05.562 JavaScript URI is that they execute in the main domains reference unlike the data 00:15:05.562 --> 00:15:11.397 URIs. So you can look into the image. We have javascript URI and the data URIs as 00:15:11.397 --> 00:15:15.533 well, that points to alert document.domain. And one Javascript URI 00:15:15.533 --> 00:15:20.984 says I'm on htmleditor.squarefree.com. While the data URI said the null domain. 00:15:20.984 --> 00:15:27.767 So basically the data URI was supposed to execute on the main domains reference a 00:15:27.767 --> 00:15:33.007 couple of years back, but then it creates a lot of mess with the browser. So browser 00:15:33.007 --> 00:15:38.625 vendors they decided to execute in the null domain reference to just to make it 00:15:38.625 --> 00:15:44.920 do the safe. So at this point of time I decided, ok Javascript URIs are like the 00:15:44.920 --> 00:15:52.952 best candidate for us, so why not try it? So I've tried the same Javascript URI with 00:15:52.952 --> 00:16:04.020 browser.tabs.create and again, it was, it doesn't work for me. But again, we have a 00:16:04.020 --> 00:16:10.576 friend called dot update method. I tried the same thing with the JavaScript URI 00:16:10.576 --> 00:16:14.171 that points to browser.tabs.update, which again calls 00:16:14.171 --> 00:16:20.203 javascript:alert(document.domain). And it worked for me this time. So you can figure 00:16:20.203 --> 00:16:25.333 it out with this picture. This extension should have able to run on Google dot com. 00:16:25.333 --> 00:16:29.683 Now we are on a big dot com and if you click on the open button, we have a 00:16:29.683 --> 00:16:35.515 Javascript code execution on bing.com. This is how bad it was, because that's a 00:16:35.515 --> 00:16:41.680 total violation of the privacy, because the user believes that this extension 00:16:41.680 --> 00:16:47.857 shouldn't be able to run on the other domain, except the google.com. So this was 00:16:47.857 --> 00:16:54.355 again reported to the Microsoft saying, okay. So in the last time I reported like 00:16:54.355 --> 00:16:59.484 I'm able to load the local files, but you said I'm not going to fix it. And now we 00:16:59.484 --> 00:17:04.999 have a JavaScript code execution as well. So then again, they said: Okay, like we 00:17:04.999 --> 00:17:10.158 got your concern. We understand what you're trying to say, but can you also 00:17:10.158 --> 00:17:16.696 alert users's cookies as well? Like, is it possible to steal the user's cookies? Then 00:17:16.696 --> 00:17:21.280 I said, okay, why not? So instead of document or domain, you can just use 00:17:21.280 --> 00:17:28.828 document.cookie to pop up users cookies as well. So. Since we have host access 00:17:28.828 --> 00:17:37.417 permission bypass on Edge so we can steal Google e-mails, even Facebook data or 00:17:37.417 --> 00:17:42.837 anything like that. So to demonstrate this attack, let's suppose we have a simple 00:17:42.837 --> 00:17:47.788 Google E-mail. It says, I'm a secret e-mail and I have some coupon code for 00:17:47.788 --> 00:17:53.353 thousand dollar cashback. And then there we have some random coupon code. So to 00:17:53.353 --> 00:17:59.260 demonstrate this attack, you can see I'm using browser.tabs.update that points to a 00:17:59.260 --> 00:18:05.511 certain Javascript URI and what it does is it fetches the particular e-mail with the 00:18:05.511 --> 00:18:12.684 particular ID and opens a new tab and send it to the leak.html. And further, what 00:18:12.684 --> 00:18:21.321 leak.html does is it copies the value from location.hash and write it onto the page. 00:18:21.321 --> 00:18:27.549 So as soon as you click on the open button, if you are on mail.google.com, it 00:18:27.549 --> 00:18:32.133 will steal the particular e-mail and display it back on the attackers domain. 00:18:32.133 --> 00:18:37.554 So this is how I was able to steal the google e-mails. So this proof of concept 00:18:37.554 --> 00:18:43.177 was sent to the Microsoft and the same thing with the local files as well. Like I 00:18:43.177 --> 00:18:48.330 thought, okay, now it's working for the domain. Now what if we tried with the same 00:18:48.330 --> 00:18:54.005 thing with the local files as well? So yeah, in this case it was, it worked as 00:18:54.005 --> 00:18:59.377 well. So if you remember in the last in the past when we were able to load local 00:18:59.377 --> 00:19:03.907 files, but Microsoft says, OK, we are not going to fix it because we don't support 00:19:03.907 --> 00:19:08.962 download API. And now we have a Javascript code execution on local files as well. So 00:19:08.962 --> 00:19:14.345 we can chain both of these bugs to steal the local files as well. So here's a 00:19:14.345 --> 00:19:20.823 simple proof of concept. So at first what we are doing is browser.tabs.update that 00:19:20.823 --> 00:19:26.620 points to a file URI. And again, browser.tabs.update that points to a 00:19:26.620 --> 00:19:34.985 javascript URI. So Microsoft was like, OK. Now we have to fix. But what is next? So 00:19:34.985 --> 00:19:43.310 so far we have Javascript code execution on local files. We also have host access 00:19:43.310 --> 00:19:49.583 permission bypass. Now what is next? So the next thing that came to my mind is 00:19:49.583 --> 00:19:55.063 always the privilege pages, as I already explained the sensitivity of the 00:19:55.063 --> 00:20:00.815 privileged pages. So the next moment I was so excited that this will work on the 00:20:00.815 --> 00:20:06.526 privileged pages as well. So again, I wrote this five line of code and tried to 00:20:06.526 --> 00:20:12.116 execute in reference to about:flags. And surprisingly, it was not, it wasn't 00:20:12.116 --> 00:20:17.340 working for me. And I was so surprised, like why this is not working and like 00:20:17.340 --> 00:20:22.898 shaking my head, like, what is wrong? So the next moment I was trying to figure out 00:20:22.898 --> 00:20:27.650 what is wrong with this implementation, like why it is not working. Maybe there 00:20:27.650 --> 00:20:31.812 are some errors in the console. So I try to open the developer console to figure 00:20:31.812 --> 00:20:37.041 out the possible errors. But you can see there is no such errors at all. So the 00:20:37.041 --> 00:20:43.305 reason for that is most of the pages like the sensitive pages in the browsers like 00:20:43.305 --> 00:20:47.775 Chrome, Firefox and even in Edge are protected by the CSP to make sure there 00:20:47.775 --> 00:20:51.694 shouldn't be any JavaScript code execution. But we cannot see any CSP 00:20:51.694 --> 00:20:57.110 errors here as well, which was pretty strange for me. So then again, I asked to 00:20:57.110 --> 00:21:03.200 myself, like, why this black magic is not working on privileged pages. Even when we 00:21:03.200 --> 00:21:09.958 don't have the CSP error, maybe this time Edge is playing smart. Do we have any 00:21:09.958 --> 00:21:17.912 other way to load about:flags in Edge? Then the next idea that came to my mind is 00:21:17.912 --> 00:21:24.215 to use the res protocol. So res protocol is something that is used to fetch some 00:21:24.215 --> 00:21:31.056 sort of resources from a module. So instead of about:flags, we can call 00:21:31.056 --> 00:21:43.900 res://edgehtml.dll/flag.htm and the next moment it worked. So... 00:21:43.900 --> 00:21:48.915 *applause* 00:21:48.915 --> 00:21:53.848 Mittal: So this way we have now Javascript code execution on privileged pages as 00:21:53.848 --> 00:21:58.895 well, which is pretty bad. So once you have Javascript code execution on 00:21:58.895 --> 00:22:05.218 privileged pages, you can enable and disable Adobe Flash Player and there are 00:22:05.218 --> 00:22:10.967 other methods, other possible options which we have already discussed, can also 00:22:10.967 --> 00:22:15.559 be possible with the same type, with the same thing. So again, what we need to do 00:22:15.559 --> 00:22:22.327 is to call browser.tabs.update that points to edgehtml.dll/flags.htm. And again, a 00:22:22.327 --> 00:22:30.155 file, again some sort of javascript URI to fetch, get element by ID and then click on 00:22:30.155 --> 00:22:37.250 it. So it will toggle the Adobe Flash Player setting on the Edge. Again, what is 00:22:37.250 --> 00:22:44.130 next? So this was pretty enough for me. But again, like I was trying to figure out 00:22:44.130 --> 00:22:50.495 if we can do something else as well. And then I start with the reading mode. So a 00:22:50.495 --> 00:22:56.654 reading more is a feature implemented in Edge, which renders a page in a way that 00:22:56.654 --> 00:23:01.571 is like kind of pretty easy to read. So in this process, Edge makes sure that there 00:23:01.571 --> 00:23:07.378 shouldn't be any Javascript code execution on the page. The main purpose for reading 00:23:07.378 --> 00:23:12.898 mode is that to provide the users, to provide a simplified page to the users. So 00:23:12.898 --> 00:23:16.858 basically there should not be any advertisement or something like that. So 00:23:16.858 --> 00:23:20.576 for that reason, browser vendors, they make sure there shouldn't be any 00:23:20.576 --> 00:23:26.149 Javascript code execution on reading mode. And there was one bug with the reading 00:23:26.149 --> 00:23:32.990 mode as well, like you cannot put any document in the reader mode until unless 00:23:32.990 --> 00:23:40.205 browser identified its compatibility. But you can append the read: protocol in the 00:23:40.205 --> 00:23:46.437 in the first and then the URL that points to some sort of domain and then Edge will 00:23:46.437 --> 00:23:51.693 load the particular resources in the reading mode as well. So fortunately, I 00:23:51.693 --> 00:23:57.473 tried the same attack on the reading mode as well. But since the reading more was 00:23:57.473 --> 00:24:03.050 protected with their certain CSP and then, so you can see the CSP error. It says we 00:24:03.050 --> 00:24:09.204 do not allow inline script and it really blocked by the Edge. So reading mode was 00:24:09.204 --> 00:24:15.746 kind of safe, at least for the test cases, but in some certain test cases it worked 00:24:15.746 --> 00:24:22.130 for me, but I was not able to I was not able to reproduce it further. So that's 00:24:22.130 --> 00:24:27.612 why I marked it as safe. The other possible features we can have is the 00:24:27.612 --> 00:24:32.391 Javascript code execution on other extension pages. Like again, you can 00:24:32.391 --> 00:24:37.805 imagine a situation: We have... You can imagine a situation when one extension is 00:24:37.805 --> 00:24:42.981 able to disable another extension in browser, like how bad it will be. So 00:24:42.981 --> 00:24:48.635 again, now we are on a internal page that belongs to Adblock Plus. And if we tried 00:24:48.635 --> 00:24:56.147 to run our extension on this page, then again, we have a CSP violation issues. So 00:24:56.147 --> 00:25:03.472 that was safe. The next thing was some CSP privilege issues because the host 00:25:03.472 --> 00:25:09.586 permission will not work if there is any CSP error. So next, I tried to figure out 00:25:09.586 --> 00:25:16.416 if we can use the execute script API to figure out how to deal with the CSP. So 00:25:16.416 --> 00:25:23.747 let's assume we have a page where the CSP is implemented properly and we have a host 00:25:23.747 --> 00:25:30.044 permission for the same. So you can see the code where we are saying the content 00:25:30.044 --> 00:25:35.758 security policy, which is set to default- src self. And we are using 00:25:35.758 --> 00:25:42.035 browser.tabs.executeScript which this code and then where we have to pass the 00:25:42.035 --> 00:25:47.638 JavaScript code, which is a simple alert(document.domain). So the way 00:25:47.638 --> 00:25:56.831 extensions deal with the CSP is that most of the browsers, they will allow 00:25:56.831 --> 00:26:03.245 Javascript from any extensions until unless they will try to change the DOM 00:26:03.245 --> 00:26:09.635 tree of particular documents. So let's suppose we have the first example right 00:26:09.635 --> 00:26:15.944 here. In this case, so as I said, let's assume we are on a page which has a 00:26:15.944 --> 00:26:22.303 perfect CSP in place like this. And we tried to change the DOM for that 00:26:22.303 --> 00:26:29.558 particular page. So the possible base we have is either we can use document.write 00:26:29.558 --> 00:26:35.805 or we can use document.body.innerHTML and then insert the Javascript code. And then 00:26:35.805 --> 00:26:41.505 the other possible way we have is to generate a random element and then write 00:26:41.505 --> 00:26:48.374 inside it. So all these ways to manipulate the particular DOM tree on a CSP protected 00:26:48.374 --> 00:26:54.715 page was not allowed by most of the browsers like Firefox and Chrome, but it 00:26:54.715 --> 00:27:00.927 was not protected in case of Edge like the executeScript API as straightforward as 00:27:00.927 --> 00:27:05.872 execute any of the Javascript code on any domain, whether you try to change on, 00:27:05.872 --> 00:27:12.316 whether you tried to change the DOM on a CSP protected page or not. Like it doesn't 00:27:12.316 --> 00:27:19.290 matter for it. So to conclude with this presentation is that Edge extensions are 00:27:19.290 --> 00:27:26.273 still in development. Most of the APIs are not supported till the time because and 00:27:26.273 --> 00:27:32.100 the Edge that it has moved to the new Chromium based browser as well. So I'm not 00:27:32.100 --> 00:27:37.247 sure whether there is started developing extensions API or not, but the ActiveTab 00:27:37.247 --> 00:27:43.461 is one of the interested permission to work on because it allows you to execute 00:27:43.461 --> 00:27:49.883 Javascript code on the current domain. So if you are able to perform the same sort 00:27:49.883 --> 00:27:55.334 of the same attack of the tabs API as well. So pretty much you can have all what 00:27:55.334 --> 00:28:00.859 I presented here as well. So Microsoft, they finally decided to fix this bug in 00:28:00.859 --> 00:28:08.684 March 19 update with the highest possible bounty they have with the CVE-2019-0678. 00:28:08.684 --> 00:28:14.887 Now, that's it. 00:28:14.887 --> 00:28:21.347 Herald: So thank you, Nikhil for an interesting talk. If you have questions 00:28:21.347 --> 00:28:24.940 about the talk, we have three microphones, one, two and three in each one of the 00:28:24.940 --> 00:28:28.760 aisles. If you have a question, please come to the microphone. We'll start from 00:28:28.760 --> 00:28:33.470 microphone number three. Question: Hi. And thank you for the 00:28:33.470 --> 00:28:42.290 interesting talk. I have one question. Is this back or is this API also relevant for 00:28:42.290 --> 00:28:47.285 the new, for the new Edge coming in January based on Chromium engine? 00:28:47.285 --> 00:28:55.250 Mittal: No, I guess. So the APIs are the same, but since the new Edge is running on 00:28:55.250 --> 00:29:04.220 Chrome so they will not support this API because of they use some others calling 00:29:04.220 --> 00:29:08.810 conventions, I guess, I believe. Does that answer your question? 00:29:08.810 --> 00:29:12.110 Q: Yeah. But I have a second one. Herald: Yeah. Go for it. 00:29:12.110 --> 00:29:20.870 Q: Okay. And the second one is you tried to open the pages via the res Protocol. 00:29:20.870 --> 00:29:28.850 But the functionality of those pages, is it also handled by Edge while opening it 00:29:28.850 --> 00:29:32.600 through the res protocol, not about the about protocol? 00:29:32.600 --> 00:29:36.560 Mittal: Yes, I guess. Q: Okay. They were also working? 00:29:36.560 --> 00:29:38.840 Mittal: Yeah. Q: Okay. Thank you. 00:29:38.840 --> 00:29:45.050 Herald: Any more questions from the crowd or from the internet? Okay. Then another 00:29:45.050 --> 00:29:46.658 round of applause for Nikhil for a great talk. 00:29:46.658 --> 00:30:13.665 *36c3 outro music*