mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GITBOOK-4375: No subject
This commit is contained in:
parent
fcd8e6fd40
commit
f59ff3e8f7
1 changed files with 74 additions and 4 deletions
|
@ -1,8 +1,8 @@
|
|||
# Browser Extension Pentesting Methodology
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -459,6 +459,20 @@ chrome.runtime.sendMessage(extensionId, ...
|
|||
|
||||
Where it's needed to mention the **extension ID**.
|
||||
|
||||
### Native Messaging
|
||||
|
||||
It's possible for the background scripts to communicate with binaries inside the system, which might be **prone to critical vulnerabilities such as RCEs** if this communication is not properly secured. [More on this later](./#native-messaging).
|
||||
|
||||
```javascript
|
||||
chrome.runtime.sendNativeMessage(
|
||||
'com.my_company.my_application',
|
||||
{text: 'Hello'},
|
||||
function (response) {
|
||||
console.log('Received ' + response);
|
||||
}
|
||||
);
|
||||
```
|
||||
|
||||
## Web **↔︎** Content Script Communication
|
||||
|
||||
The environments where **content scripts** operate and where the host pages exist are **separated** from one another, ensuring **isolation**. Despite this isolation, both have the ability to interact with the page's **Document Object Model (DOM)**, a shared resource. For the host page to engage in communication with the **content script**, or indirectly with the extension through the content script, it is required to utilize the **DOM** that is accessible by both parties as the communication channel.
|
||||
|
@ -575,6 +589,49 @@ An important consideration is that in scenarios where multiple pages are set to
|
|||
|
||||
When crafting new extensions, the preference should be towards promises as opposed to callbacks. Concerning the use of callbacks, the `sendResponse()` function is considered valid only if it's executed directly within the synchronous context, or if the event handler indicates an asynchronous operation by returning `true`. Should none of the handlers return `true` or if the `sendResponse()` function is removed from memory (garbage-collected), the callback associated with the `sendMessage()` function will be triggered by default.
|
||||
|
||||
## Native Messaging
|
||||
|
||||
Browser extensions also allow to communicate with **binaries in the system via stdin**. The application must install a json indicating so in a json like:
|
||||
|
||||
```json
|
||||
{
|
||||
"name": "com.my_company.my_application",
|
||||
"description": "My Application",
|
||||
"path": "C:\\Program Files\\My Application\\chrome_native_messaging_host.exe",
|
||||
"type": "stdio",
|
||||
"allowed_origins": ["chrome-extension://knldjmfmopnpolahpmmgbagdohdnhkik/"]
|
||||
}
|
||||
```
|
||||
|
||||
Where the `name` is the string passed to [`runtime.connectNative()`](https://developer.chrome.com/docs/extensions/reference/api/runtime#method-connectNative) or [`runtime.sendNativeMessage()`](https://developer.chrome.com/docs/extensions/reference/api/runtime#method-sendNativeMessage) to communicate with the application from the background scripts of the browser extension. The `path` is the path to the binary, there is only 1 valid `type` which is stdio (use stdin and stdout) and the `allowed_origins` indicate the extensions that can access it (and can't have wildcard).
|
||||
|
||||
Chrome/Chromium will search for this json in some windows registry and some paths in macOS and Linux (more info in the [**docs**](https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging)).
|
||||
|
||||
{% hint style="success" %}
|
||||
The browser extension also needs the `nativeMessaing` permission declared in order to be able to use this communication.
|
||||
{% endhint %}
|
||||
|
||||
This is how it looks like some background script code sending messages to a native application:
|
||||
|
||||
```javascript
|
||||
chrome.runtime.sendNativeMessage(
|
||||
'com.my_company.my_application',
|
||||
{text: 'Hello'},
|
||||
function (response) {
|
||||
console.log('Received ' + response);
|
||||
}
|
||||
);
|
||||
```
|
||||
|
||||
In [**this blog post**](https://spaceraccoon.dev/universal-code-execution-browser-extensions/), a vulnerable pattern abusing native messages is proposed:
|
||||
|
||||
1. Browser extension has a wildcard pattern for content script.
|
||||
2. Content script passes `postMessage` messages to the background script using `sendMessage`.
|
||||
3. Background script passes the message to native application using `sendNativeMessage`.
|
||||
4. Native application handles the message dangerously, leading to code execution.
|
||||
|
||||
And inside of it an example of **going from any page to RCE abusing a browser extension is explained**.
|
||||
|
||||
## Sensitive Information in Memory/Code/Clipboard
|
||||
|
||||
If a Browser Extension stores **sensitive information inside it's memory**, this could be **dumped** (specially in Windows machines) and **searched** for this information.
|
||||
|
@ -641,6 +698,17 @@ Go to the Chrome Web Store and download the extension. The file will have a `.cr
|
|||
|
||||
Open Chrome and go to `chrome://extensions/`. Enable "Developer mode" at the top right. Click on "Load unpacked extension...". Navigate to the directory of your extension. This doesn't download the source code, but it's useful for viewing and modifying the code of an already downloaded or developed extension.
|
||||
|
||||
## Chrome extension manifest dataset
|
||||
|
||||
In order to try to spot vulnerable browser extensions you could use the[https://github.com/palant/chrome-extension-manifests-dataset](https://github.com/palant/chrome-extension-manifests-dataset) and check their manifest files for potentially vulnerable signs. For example to check for extensions with more than 25000 users, `content_scripts` and the permission `nativeMessaing`:
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
# Query example from https://spaceraccoon.dev/universal-code-execution-browser-extensions/
|
||||
node query.js -f "metadata.user_count > 250000" "manifest.content_scripts?.length > 0 && manifest.permissions?.includes('nativeMessaging')"
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
## Security Audit Checklist
|
||||
|
||||
Even though Browser Extensions have a **limited attack surface**, some of them might contain **vulnerabilities** or **potential hardening improvements**. The following ones are the most common ones:
|
||||
|
@ -656,8 +724,10 @@ Even though Browser Extensions have a **limited attack surface**, some of them m
|
|||
* [ ] If Post Messages are used, check for [**Post Message vulnerabilities**](../postmessage-vulnerabilities/)**.**
|
||||
* [ ] If the **Content Script access DOM details**, check that they **aren't introducing a XSS** if they get **modified** by the web
|
||||
* [ ] Make a special emphasis if this communication is also involved in the **Content Script -> Background script communication**
|
||||
* [ ] If the background script is communicating via **native messaging** check the communication is secure and sanitized
|
||||
* [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **code**
|
||||
* [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **memory**
|
||||
* [ ] **Sensitive information shouldn't be stored** inside the **file system unprotected**
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -704,8 +774,8 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu
|
|||
* [https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0](https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0)
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
Loading…
Reference in a new issue