< Return to Video

36C3 - Breaking Microsoft Edge Extensions Security Policies

  • 0:00 - 0:00
    *36C3 preroll music*
  • 0:00 - 0:23
    Herald: The next speaker works as a
    security consultant at Payatu software
  • 0:23 - 0:28
    labs, and he loves finding security flaws
    in the Microsoft Edge browser. And
  • 0:28 - 0:33
    incidentally, this is the topic for this
    next talk. So please give a big round of
  • 0:33 - 0:35
    applause to Nikhil Mittal.
  • 0:35 - 0:35
    *applause*
  • 0:35 - 0:50
    Nikhil Mittal: So, welcome to the talk:
    Breaking Microsoft Edge Extensions
  • 0:50 - 0:56
    Security Policies. My name is Nikhil, I
    work at Payatu Labs. And I am into web
  • 0:56 - 1:01
    browser vulnerability research. So to
    start with this presentation, I would like
  • 1:01 - 1:07
    to know how many of you uses browser
    extensions in general, like... Oh, nice.
  • 1:07 - 1:14
    So many of us. OK. So a browser extension
    is something that extends the
  • 1:14 - 1:19
    functionality of your web browsers. We
    have a typical examples like Adblock Plus,
  • 1:19 - 1:26
    which I think most of the people uses to
    block the ads on some certain sites like
  • 1:26 - 1:32
    YouTube. And Grammarly and some sort of
    password managers as well. So these
  • 1:32 - 1:38
    extensions are capable of managing most of
    your data because they can handle the
  • 1:38 - 1:44
    cookies, bookmarks, storage, passwords,
    history and what not. So that being said,
  • 1:44 - 1:50
    we all have to agree on a point that these
    extensions are powerful, because they can
  • 1:50 - 1:55
    deal with your cookies, bookmarks and
    other sensitive information in the
  • 1:55 - 2:04
    browsers. So here is how simple AdBlock
    Plus extension looks like on Microsoft
  • 2:04 - 2:11
    Edge, which is pretty much doing its job.
    Now. Have you ever tried to figure out
  • 2:11 - 2:18
    what this extension is capable of doing in
    your browser? So if you look at the
  • 2:18 - 2:23
    settings. Here we have a couple of
    permissions, which I've listed down on the
  • 2:23 - 2:30
    next slide. So it's simple Adblock Plus
    extension, can read and change content on
  • 2:30 - 2:35
    websites that you visit. It can read and
    change your favorites. It can see the
  • 2:35 - 2:39
    websites you visit. It can read and change
    anything you send or receive. And it can
  • 2:39 - 2:44
    also store personal browsing data on your
    browser and it can also display
  • 2:44 - 2:51
    notifications as well. So there are so
    many things a simple Adblock Plus
  • 2:51 - 2:58
    extension can able to do in your browser.
    So you might ask like how browsers
  • 2:58 - 3:04
    recognize these permissions, like a
    extension is able to do so many things in
  • 3:04 - 3:08
    my browser. But how does browser recognize
    like where are these permissions coming
  • 3:08 - 3:17
    from? So here is a permission modeling
    browser extensions. So under the source of
  • 3:17 - 3:23
    every extensions, we have a file called as
    manifest.json and inside of manifest.json
  • 3:23 - 3:30
    file we have a permission area. So, here's
    a quick example of a permission area,
  • 3:30 - 3:37
    where we have some permissions. So the
    first one is a https://www.google.com,
  • 3:37 - 3:42
    which we'll see right after this slide.
    The next permission we have is bookmarks
  • 3:42 - 3:50
    and cookies, history, storage and tabs. So
    let's suppose an extension has a
  • 3:50 - 3:54
    permissions with the bookmarks and
    cookies. So that means that extension can
  • 3:54 - 4:00
    handle your bookmarks. It can manipulate
    them. It can edit them. It can remove them
  • 4:00 - 4:04
    and what not. So the same goes with the
    cookies, history as well. And there are
  • 4:04 - 4:13
    other important permissions as well
    available for the browsers. So apart from
  • 4:13 - 4:19
    these permissions, the most interesting
    permission that I was looking for is the
  • 4:19 - 4:23
    host access permissions. So the host
    access permission is something that
  • 4:23 - 4:28
    defines on which certain domains your
    browser extensions should able to run. So
  • 4:28 - 4:33
    in this case, let's suppose we have
    assigned a permissions to a
  • 4:33 - 4:40
    https://www.google.com. So that means this
    extension should able to run on Google.com
  • 4:40 - 4:45
    only, not even the subdomain that is
    developer.google.com or mail.google.com.
  • 4:45 - 4:51
    So this you can also verify with the tiny
    box that says this is allowed to read and
  • 4:51 - 4:58
    change content on some sites
    www.google.com. Now the second permission
  • 4:58 - 5:05
    we could have in this here is
    https://*.google.com. So basically this
  • 5:05 - 5:12
    also covers the subdomains as well. And
    the third possible permission we can have
  • 5:12 - 5:20
    is *://*.google.com. So basically this is
    now not only I'll work on google.com, but
  • 5:20 - 5:26
    basically on all the protocols as well,
    which is HTTP, HTTPS, might be FTP. That
  • 5:26 - 5:32
    belongs to the particular domain. So apart
    from these three permissions, we have the
  • 5:32 - 5:38
    another permission in the roll, which is
    . This permission is so special
  • 5:38 - 5:45
    because once a browser extension is
    assigned to all_urls permissions that can
  • 5:45 - 5:50
    execute Javascript code on every domain
    that you visit. So let's suppose you are
  • 5:50 - 5:55
    on google.com or maybe you're on bing.com
    or anything else it will work on most
  • 5:55 - 6:04
    probably on every domain. But there are
    few restrictions with the all_urls
  • 6:04 - 6:10
    permissions. That is, it cannot run on
    privileged pages. So if privileged pages
  • 6:10 - 6:16
    in browser is something that contains some
    sort of sensitive settings on your browser
  • 6:16 - 6:22
    data, so you might heard of
    chrome://settings, which contains the
  • 6:22 - 6:28
    password manager for Chrome. And also you
    can identify the credit card and debit
  • 6:28 - 6:34
    card information on chrome://settings as
    well. So you can imagine a situation once
  • 6:34 - 6:39
    the extension is able to run a Javascript
    code on Chrome setting page then it can
  • 6:39 - 6:44
    probably read, or it can steal all of your
    passwords and credit and debit card
  • 6:44 - 6:50
    information as well. So on the Edge, we
    have a similar page, which is about:flags.
  • 6:50 - 6:59
    So here you can see one extension with
    permission is assigned. It can
  • 6:59 - 7:06
    read and change content on websites you
    visit. As for the Edge. So here's a quick
  • 7:06 - 7:12
    snap of about:flags in Edge. And so if you
    look at the first part, you will figure
  • 7:12 - 7:17
    out there are a few embedded permissions.
    Like you can enable Adobe Flash Player.
  • 7:17 - 7:24
    You can also enable developer features.
    And also you can enable and disable allow
  • 7:24 - 7:29
    an unrestricted memory consumption for the
    Web pages as well. And it also has some
  • 7:29 - 7:34
    standard previews features, like you can
    enable / disable some experimental
  • 7:34 - 7:38
    Javascript features as well. So now you
    can imagine what the sensitivity of this
  • 7:38 - 7:46
    page contains, okay? So let's quickly
    build an extension. So that will break
  • 7:46 - 7:51
    most of the things in Edge. So as I said,
    every extension has a manifest.json file
  • 7:51 - 7:58
    which has all the permission and other
    configurations. The second file that we
  • 7:58 - 8:04
    will be needing is popup.html. So
    popup.html is nothing, but it's just
  • 8:04 - 8:08
    interface for the browser extension. So
    basically you might have noticed as soon
  • 8:08 - 8:13
    as you click on any of the browser
    extension, a pop up appears on your window
  • 8:13 - 8:19
    for that contain some sort of functions.
    That is nothing but just a popup.html
  • 8:19 - 8:25
    file. And then again we have a popup.js
    which has all the Javascript code that
  • 8:25 - 8:32
    executes according to the actions chosen
    by the popup.html. So this is how our
  • 8:32 - 8:39
    extension should have looked. And on the
    edge. So we have seen a tiny Microsoft
  • 8:39 - 8:45
    logo and as soon as you click on it, a
    popup will appear. It says, I am the evil
  • 8:45 - 8:50
    extension and I have two options. The
    first one is open. The second one is
  • 8:50 - 8:55
    execute. So as soon as you click on the
    open button, what it does is it will load
  • 8:55 - 9:00
    google.com on the browser. And as soon as
    you click on the execute button, it will
  • 9:00 - 9:05
    just alert(1) for you. So basically. So
    basically the interface is written in
  • 9:06 - 9:11
    popup.html. And again, as soon as you
    click on execute, so the work is done by
  • 9:11 - 9:17
    popup.js. So let's quickly look at the
    source code for the manifest.json file.
  • 9:17 - 9:24
    The thing to notice here is that you can
    figure out the permission area on line
  • 9:24 - 9:31
    number 10, which is set to
    http://www.google.com. That means it's
  • 9:31 - 9:36
    clear that this extension should be able
    to run on google.com only. I mean not on
  • 9:36 - 9:44
    the subdomains even. So here's the source
    code for the popup.html, which is just a
  • 9:44 - 9:48
    simple HTML file that has two buttons. The
    first one is open, the second one is
  • 9:48 - 9:56
    execute. And it has a popup.js at the end.
    So here we have the popup.js. So in very
  • 9:56 - 10:01
    brief manner. What it does is as soon as
    you click on the open button, it loads
  • 10:01 - 10:06
    google.com. And as soon as you click on
    the execute button, it calls the
  • 10:06 - 10:16
    JavaScript. It alerts document.domain for
    you. So there are so many APIs available
  • 10:16 - 10:21
    for the browser extensions that you can
    use like history API and some sort of
  • 10:21 - 10:28
    proxys API, tabs API. But for me this tabs
    API was so interesting because it allows
  • 10:28 - 10:36
    you to play with different tabs like it
    has some function, methods inside, like
  • 10:37 - 10:42
    tabs.create. So what it does is it allows
    you to create a new tab with any arbitrary
  • 10:42 - 10:49
    domain and it also has tabs.update. And
    what it does is it allows you to update
  • 10:49 - 10:54
    the page with the next URI. And
    tabs.duplicate is also important because
  • 10:54 - 11:01
    it allows you to make a exact replica of
    an already open tab. The next method is
  • 11:01 - 11:07
    tabs.executeScript. So this is pretty
    simple. This allows you to execute
  • 11:07 - 11:13
    JavaScript code and tabs.hide and
    tabs.reload, which is pretty easy. And
  • 11:13 - 11:19
    there are so many other methods as well.
    So out of them. The most interesting one
  • 11:19 - 11:24
    for me was create and update and also the
    duplicate method. So let's say if you want
  • 11:24 - 11:31
    to load a new. So let's say if you want to
    load bing.com on a new tab using a browser
  • 11:31 - 11:38
    extension so you can just write this five
    lines of code that calls
  • 11:38 - 11:45
    browser.tabs.create. And then it passes a
    URL which is https www.google.com. So this
  • 11:45 - 11:52
    is as far as the documentation and this is
    for the good boys like not for us. So as
  • 11:52 - 11:59
    an evil mind, like I was interested to
    know, like what would happen if I tried to
  • 11:59 - 12:05
    load local files instead of a normal
    domain? So then I replaced the bing URL
  • 12:05 - 12:13
    with a particular local file URI to try to
    figure out like how browser will treat it.
  • 12:13 - 12:19
    Will it open it or not? So so the next
    moment Edge gives me this nice error.
  • 12:19 - 12:25
    Like, ok, I can't reach this page and you
    make sure you have got the right web
  • 12:25 - 12:30
    address. That is ms-browser-extension and
    then the part for the extension and it
  • 12:30 - 12:35
    appends the file URI part in the last. So
    basically is assumes that this is a
  • 12:35 - 12:40
    relative path and I'm going to add it with
    the extension path and I'm going to try
  • 12:40 - 12:47
    and I'm going to open it. So since that
    particular path doesn't exist, it gives us
  • 12:47 - 12:55
    an error. So this is not a thing with the
    extension as well. But this is in general
  • 12:55 - 13:00
    like any of the browser. They don't allow
    you to load local files at any cost
  • 13:00 - 13:06
    because this might lead an issue to steal
    your local systems files so you can see
  • 13:06 - 13:10
    the image and the Edge and Chrome
    browsers. So here I am trying to load
  • 13:10 - 13:16
    local files using the Javascript. So every
    time it says okay, we are not allowed to
  • 13:16 - 13:23
    do that because we care about our users
    and we will protect them. So since we
  • 13:23 - 13:30
    figured out this browser.tabs.create
    method was not working for us, the next
  • 13:30 - 13:37
    method that I was looking for the update.
    So I tried the same thing with the update
  • 13:37 - 13:44
    method and somehow it worked for me. So
    next. Once I figured out, okay, now I can
  • 13:44 - 13:50
    load the local files. Now I want to load
    the privileged pages because they're also
  • 13:50 - 13:56
    interesting for me. And it was also
    working fine for me at the moment. So here
  • 13:56 - 14:01
    you can see as well as you click on the
    open button browser load, say local file
  • 14:01 - 14:08
    for me and also a privilege page on Edge.
    So I've reported this back to Microsoft,
  • 14:08 - 14:14
    but, and they quickly responded back to me
    saying we don't support download API. So
  • 14:14 - 14:19
    even if you load the local files, you have
    no way to steal it. Like, you literally
  • 14:19 - 14:24
    cannot do anything by loading the local
    files. And we are not going to fix it. So
  • 14:24 - 14:30
    I said, okay, let's do it another way. So
    the next moment the idea came to my mind
  • 14:30 - 14:36
    is to use the JavaScript URI. A JavaScript
    URI is something that start with the
  • 14:36 - 14:42
    Javascript protocol. It has a particular
    syntax like first javascript and then
  • 14:42 - 14:48
    colon and then the Javascript code. Here
    we have a simple examples like as soon as
  • 14:48 - 14:54
    the a href javascript:alert(1), it gets
    rendered in the browser and you click on
  • 14:54 - 14:59
    the test, a Javascript code will pop up on
    your browser. So the good thing about the
  • 14:59 - 15:06
    JavaScript URI is that they execute in the
    main domains reference unlike the data
  • 15:06 - 15:11
    URIs. So you can look into the image. We
    have javascript URI and the data URIs as
  • 15:11 - 15:16
    well, that points to alert
    document.domain. And one Javascript URI
  • 15:16 - 15:21
    says I'm on htmleditor.squarefree.com.
    While the data URI said the null domain.
  • 15:21 - 15:28
    So basically the data URI was supposed to
    execute on the main domains reference a
  • 15:28 - 15:33
    couple of years back, but then it creates
    a lot of mess with the browser. So browser
  • 15:33 - 15:39
    vendors they decided to execute in the
    null domain reference to just to make it
  • 15:39 - 15:45
    do the safe. So at this point of time I
    decided, ok Javascript URIs are like the
  • 15:45 - 15:53
    best candidate for us, so why not try it?
    So I've tried the same Javascript URI with
  • 15:53 - 16:04
    browser.tabs.create and again, it was, it
    doesn't work for me. But again, we have a
  • 16:04 - 16:11
    friend called dot update method. I tried
    the same thing with the JavaScript URI
  • 16:11 - 16:14
    that points to browser.tabs.update, which
    again calls
  • 16:14 - 16:20
    javascript:alert(document.domain). And it
    worked for me this time. So you can figure
  • 16:20 - 16:25
    it out with this picture. This extension
    should have able to run on Google dot com.
  • 16:25 - 16:30
    Now we are on a big dot com and if you
    click on the open button, we have a
  • 16:30 - 16:36
    Javascript code execution on bing.com.
    This is how bad it was, because that's a
  • 16:36 - 16:42
    total violation of the privacy, because
    the user believes that this extension
  • 16:42 - 16:48
    shouldn't be able to run on the other
    domain, except the google.com. So this was
  • 16:48 - 16:54
    again reported to the Microsoft saying,
    okay. So in the last time I reported like
  • 16:54 - 16:59
    I'm able to load the local files, but you
    said I'm not going to fix it. And now we
  • 16:59 - 17:05
    have a JavaScript code execution as well.
    So then again, they said: Okay, like we
  • 17:05 - 17:10
    got your concern. We understand what
    you're trying to say, but can you also
  • 17:10 - 17:17
    alert users's cookies as well? Like, is it
    possible to steal the user's cookies? Then
  • 17:17 - 17:21
    I said, okay, why not? So instead of
    document or domain, you can just use
  • 17:21 - 17:29
    document.cookie to pop up users cookies as
    well. So. Since we have host access
  • 17:29 - 17:37
    permission bypass on Edge so we can steal
    Google e-mails, even Facebook data or
  • 17:37 - 17:43
    anything like that. So to demonstrate this
    attack, let's suppose we have a simple
  • 17:43 - 17:48
    Google E-mail. It says, I'm a secret
    e-mail and I have some coupon code for
  • 17:48 - 17:53
    thousand dollar cashback. And then there
    we have some random coupon code. So to
  • 17:53 - 17:59
    demonstrate this attack, you can see I'm
    using browser.tabs.update that points to a
  • 17:59 - 18:06
    certain Javascript URI and what it does is
    it fetches the particular e-mail with the
  • 18:06 - 18:13
    particular ID and opens a new tab and send
    it to the leak.html. And further, what
  • 18:13 - 18:21
    leak.html does is it copies the value from
    location.hash and write it onto the page.
  • 18:21 - 18:28
    So as soon as you click on the open
    button, if you are on mail.google.com, it
  • 18:28 - 18:32
    will steal the particular e-mail and
    display it back on the attackers domain.
  • 18:32 - 18:38
    So this is how I was able to steal the
    google e-mails. So this proof of concept
  • 18:38 - 18:43
    was sent to the Microsoft and the same
    thing with the local files as well. Like I
  • 18:43 - 18:48
    thought, okay, now it's working for the
    domain. Now what if we tried with the same
  • 18:48 - 18:54
    thing with the local files as well? So
    yeah, in this case it was, it worked as
  • 18:54 - 18:59
    well. So if you remember in the last in
    the past when we were able to load local
  • 18:59 - 19:04
    files, but Microsoft says, OK, we are not
    going to fix it because we don't support
  • 19:04 - 19:09
    download API. And now we have a Javascript
    code execution on local files as well. So
  • 19:09 - 19:14
    we can chain both of these bugs to steal
    the local files as well. So here's a
  • 19:14 - 19:21
    simple proof of concept. So at first what
    we are doing is browser.tabs.update that
  • 19:21 - 19:27
    points to a file URI. And again,
    browser.tabs.update that points to a
  • 19:27 - 19:35
    javascript URI. So Microsoft was like, OK.
    Now we have to fix. But what is next? So
  • 19:35 - 19:43
    so far we have Javascript code execution
    on local files. We also have host access
  • 19:43 - 19:50
    permission bypass. Now what is next? So
    the next thing that came to my mind is
  • 19:50 - 19:55
    always the privilege pages, as I already
    explained the sensitivity of the
  • 19:55 - 20:01
    privileged pages. So the next moment I was
    so excited that this will work on the
  • 20:01 - 20:07
    privileged pages as well. So again, I
    wrote this five line of code and tried to
  • 20:07 - 20:12
    execute in reference to about:flags. And
    surprisingly, it was not, it wasn't
  • 20:12 - 20:17
    working for me. And I was so surprised,
    like why this is not working and like
  • 20:17 - 20:23
    shaking my head, like, what is wrong? So
    the next moment I was trying to figure out
  • 20:23 - 20:28
    what is wrong with this implementation,
    like why it is not working. Maybe there
  • 20:28 - 20:32
    are some errors in the console. So I try
    to open the developer console to figure
  • 20:32 - 20:37
    out the possible errors. But you can see
    there is no such errors at all. So the
  • 20:37 - 20:43
    reason for that is most of the pages like
    the sensitive pages in the browsers like
  • 20:43 - 20:48
    Chrome, Firefox and even in Edge are
    protected by the CSP to make sure there
  • 20:48 - 20:52
    shouldn't be any JavaScript code
    execution. But we cannot see any CSP
  • 20:52 - 20:57
    errors here as well, which was pretty
    strange for me. So then again, I asked to
  • 20:57 - 21:03
    myself, like, why this black magic is not
    working on privileged pages. Even when we
  • 21:03 - 21:10
    don't have the CSP error, maybe this time
    Edge is playing smart. Do we have any
  • 21:10 - 21:18
    other way to load about:flags in Edge?
    Then the next idea that came to my mind is
  • 21:18 - 21:24
    to use the res protocol. So res protocol
    is something that is used to fetch some
  • 21:24 - 21:31
    sort of resources from a module. So
    instead of about:flags, we can call
  • 21:31 - 21:44
    res://edgehtml.dll/flag.htm and the next
    moment it worked. So...
  • 21:44 - 21:49
    *applause*
  • 21:49 - 21:54
    Mittal: So this way we have now Javascript
    code execution on privileged pages as
  • 21:54 - 21:59
    well, which is pretty bad. So once you
    have Javascript code execution on
  • 21:59 - 22:05
    privileged pages, you can enable and
    disable Adobe Flash Player and there are
  • 22:05 - 22:11
    other methods, other possible options
    which we have already discussed, can also
  • 22:11 - 22:16
    be possible with the same type, with the
    same thing. So again, what we need to do
  • 22:16 - 22:22
    is to call browser.tabs.update that points
    to edgehtml.dll/flags.htm. And again, a
  • 22:22 - 22:30
    file, again some sort of javascript URI to
    fetch, get element by ID and then click on
  • 22:30 - 22:37
    it. So it will toggle the Adobe Flash
    Player setting on the Edge. Again, what is
  • 22:37 - 22:44
    next? So this was pretty enough for me.
    But again, like I was trying to figure out
  • 22:44 - 22:50
    if we can do something else as well. And
    then I start with the reading mode. So a
  • 22:50 - 22:57
    reading more is a feature implemented in
    Edge, which renders a page in a way that
  • 22:57 - 23:02
    is like kind of pretty easy to read. So in
    this process, Edge makes sure that there
  • 23:02 - 23:07
    shouldn't be any Javascript code execution
    on the page. The main purpose for reading
  • 23:07 - 23:13
    mode is that to provide the users, to
    provide a simplified page to the users. So
  • 23:13 - 23:17
    basically there should not be any
    advertisement or something like that. So
  • 23:17 - 23:21
    for that reason, browser vendors, they
    make sure there shouldn't be any
  • 23:21 - 23:26
    Javascript code execution on reading mode.
    And there was one bug with the reading
  • 23:26 - 23:33
    mode as well, like you cannot put any
    document in the reader mode until unless
  • 23:33 - 23:40
    browser identified its compatibility. But
    you can append the read: protocol in the
  • 23:40 - 23:46
    in the first and then the URL that points
    to some sort of domain and then Edge will
  • 23:46 - 23:52
    load the particular resources in the
    reading mode as well. So fortunately, I
  • 23:52 - 23:57
    tried the same attack on the reading mode
    as well. But since the reading more was
  • 23:57 - 24:03
    protected with their certain CSP and then,
    so you can see the CSP error. It says we
  • 24:03 - 24:09
    do not allow inline script and it really
    blocked by the Edge. So reading mode was
  • 24:09 - 24:16
    kind of safe, at least for the test cases,
    but in some certain test cases it worked
  • 24:16 - 24:22
    for me, but I was not able to I was not
    able to reproduce it further. So that's
  • 24:22 - 24:28
    why I marked it as safe. The other
    possible features we can have is the
  • 24:28 - 24:32
    Javascript code execution on other
    extension pages. Like again, you can
  • 24:32 - 24:38
    imagine a situation: We have... You can
    imagine a situation when one extension is
  • 24:38 - 24:43
    able to disable another extension in
    browser, like how bad it will be. So
  • 24:43 - 24:49
    again, now we are on a internal page that
    belongs to Adblock Plus. And if we tried
  • 24:49 - 24:56
    to run our extension on this page, then
    again, we have a CSP violation issues. So
  • 24:56 - 25:03
    that was safe. The next thing was some CSP
    privilege issues because the host
  • 25:03 - 25:10
    permission will not work if there is any
    CSP error. So next, I tried to figure out
  • 25:10 - 25:16
    if we can use the execute script API to
    figure out how to deal with the CSP. So
  • 25:16 - 25:24
    let's assume we have a page where the CSP
    is implemented properly and we have a host
  • 25:24 - 25:30
    permission for the same. So you can see
    the code where we are saying the content
  • 25:30 - 25:36
    security policy, which is set to default-
    src self. And we are using
  • 25:36 - 25:42
    browser.tabs.executeScript which this code
    and then where we have to pass the
  • 25:42 - 25:48
    JavaScript code, which is a simple
    alert(document.domain). So the way
  • 25:48 - 25:57
    extensions deal with the CSP is that most
    of the browsers, they will allow
  • 25:57 - 26:03
    Javascript from any extensions until
    unless they will try to change the DOM
  • 26:03 - 26:10
    tree of particular documents. So let's
    suppose we have the first example right
  • 26:10 - 26:16
    here. In this case, so as I said, let's
    assume we are on a page which has a
  • 26:16 - 26:22
    perfect CSP in place like this. And we
    tried to change the DOM for that
  • 26:22 - 26:30
    particular page. So the possible base we
    have is either we can use document.write
  • 26:30 - 26:36
    or we can use document.body.innerHTML and
    then insert the Javascript code. And then
  • 26:36 - 26:42
    the other possible way we have is to
    generate a random element and then write
  • 26:42 - 26:48
    inside it. So all these ways to manipulate
    the particular DOM tree on a CSP protected
  • 26:48 - 26:55
    page was not allowed by most of the
    browsers like Firefox and Chrome, but it
  • 26:55 - 27:01
    was not protected in case of Edge like the
    executeScript API as straightforward as
  • 27:01 - 27:06
    execute any of the Javascript code on any
    domain, whether you try to change on,
  • 27:06 - 27:12
    whether you tried to change the DOM on a
    CSP protected page or not. Like it doesn't
  • 27:12 - 27:19
    matter for it. So to conclude with this
    presentation is that Edge extensions are
  • 27:19 - 27:26
    still in development. Most of the APIs are
    not supported till the time because and
  • 27:26 - 27:32
    the Edge that it has moved to the new
    Chromium based browser as well. So I'm not
  • 27:32 - 27:37
    sure whether there is started developing
    extensions API or not, but the ActiveTab
  • 27:37 - 27:43
    is one of the interested permission to
    work on because it allows you to execute
  • 27:43 - 27:50
    Javascript code on the current domain. So
    if you are able to perform the same sort
  • 27:50 - 27:55
    of the same attack of the tabs API as
    well. So pretty much you can have all what
  • 27:55 - 28:01
    I presented here as well. So Microsoft,
    they finally decided to fix this bug in
  • 28:01 - 28:09
    March 19 update with the highest possible
    bounty they have with the CVE-2019-0678.
  • 28:09 - 28:15
    Now, that's it.
  • 28:15 - 28:21
    Herald: So thank you, Nikhil for an
    interesting talk. If you have questions
  • 28:21 - 28:25
    about the talk, we have three microphones,
    one, two and three in each one of the
  • 28:25 - 28:29
    aisles. If you have a question, please
    come to the microphone. We'll start from
  • 28:29 - 28:33
    microphone number three.
    Question: Hi. And thank you for the
  • 28:33 - 28:42
    interesting talk. I have one question. Is
    this back or is this API also relevant for
  • 28:42 - 28:47
    the new, for the new Edge coming in
    January based on Chromium engine?
  • 28:47 - 28:55
    Mittal: No, I guess. So the APIs are the
    same, but since the new Edge is running on
  • 28:55 - 29:04
    Chrome so they will not support this API
    because of they use some others calling
  • 29:04 - 29:09
    conventions, I guess, I believe. Does that
    answer your question?
  • 29:09 - 29:12
    Q: Yeah. But I have a second one.
    Herald: Yeah. Go for it.
  • 29:12 - 29:21
    Q: Okay. And the second one is you tried
    to open the pages via the res Protocol.
  • 29:21 - 29:29
    But the functionality of those pages, is
    it also handled by Edge while opening it
  • 29:29 - 29:33
    through the res protocol, not about the
    about protocol?
  • 29:33 - 29:37
    Mittal: Yes, I guess.
    Q: Okay. They were also working?
  • 29:37 - 29:39
    Mittal: Yeah.
    Q: Okay. Thank you.
  • 29:39 - 29:45
    Herald: Any more questions from the crowd
    or from the internet? Okay. Then another
  • 29:45 - 29:47
    round of applause for Nikhil for a great
    talk.
  • 29:47 - 30:14
    *36c3 outro music*
Title:
36C3 - Breaking Microsoft Edge Extensions Security Policies
Description:

more » « less
Video Language:
English
Duration:
30:17

English subtitles

Incomplete

Revisions Compare revisions