Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
2. Agenda
• Introduction of Browsers
• Working of Browsers
• Basic Features
• Origin and Same Origin Policy
• Same Origin Policy in action
• Content Security Policy
• Common Attacks on Browsers/WebView
• RCE and Cross Scheme Data Exposure
• Demo For UXSS
• Demo For Denial Of Service
• Demo For SOP Same Origin Bypasses
• Demo For Address Bar Spoofing in Android
• Demo For Address Bar Spoofing in Safari
• Demo For Content Spoofing
4. Basic Features
Features Provided By Browser:
• Multiple tabs
• Address bar
• Autocomplete
• Password manager Downloads
• Support for untrusted SSL certificates
• Safety ratings
• Malware protection
• Cloud integration
• Adware Blocker, etc.
5. Origin
Origin
Two URLs have the same origin if the protocol, port (if specified), and host are the same for both.
6. Same Origin Policy
Same Origin
• The same-origin policy is a critical security mechanism that restricts how a document is loaded
from one origin can interact with a resource from another origin.
• In simple words, two webpages are on same origin if they have the same URL scheme, hostname
and port number.
Same Origin Bypass
• SOP bypasses is mostly occurred due to logical confusion between different layers where one
layer parses the input in a different way and another in a different way.
7. SOP In Action
Code For SOP
<script>
var x = new XMLHttpRequest(); x.open('GET','http://www.gmail.com', true) x.send()
document.write(x.responseText);
</script>
SOP restricts it from accessing contents present at https://www.gmail.com due to scheme and host mismatch.
8. Content Security Policy
CSP & CSP Bypass
• Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate cert
ain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
• CSP bypass in not always a security bug.
• Content-Security-Policy: policy
9. Common Attacks
• Cross Scheme Data Exposure Attacks
• Remote Code Execution
• DOS
• UXSS
• SOP Bypass
• Spoofing
• Fuzzing
Most Common Attacks on WebView/Browsers
SOP bypass / UXSS
10. RCE and Cross Scheme Data Exposure
Cross Scheme Data Exposure
• In browser modern HTTP and file scheme (file:///etc/passwd) are both treated as a different origin.
If
javascript at HTTP scheme can load and read local files it results in a SOP bypass and causes
directory traversal attacks
• Mozilla provides a component known as “nsILocalFile” and it is possible to navigate to different
path separators used on different platforms, query the state ofany file or directory.
• This component can be refer using the string '@mozilla.org/file/local;1‘ to create an instance whi
ch can alsobe known as Contract.
• This caused code execution.
Remote Code Execution
11. Demo for Denial Of Service
Denial of Service
• Denial of Service Vulnerability is when application fails to provide service and crashes.
• Here SetInterval function was used to exploit in the browser for this case. This vulnerability makes
the resource unavailable and thus the browser crashes.
• Browser allows javascript to update the address bar while the page is still loading which is causing
browsers to crash or freeze thus causing dos attack.
• Mitigation: For solution browser window should not be allowed to update address page while loadi
ng. The application should be able to handle exceptions instead of freezing.
• Code Url: https://justmorpheus.000webhostapp.com/null/dos.html
• Demo Video
12. Demo For Universal XSS
CVE-2019-13607* : UXSS via Javascript Protocol
• Attacker controlled domain returns "javascript:code_here" in "location" header then browser
executes the javascript code in the context of target domain instead of attacker domain.
• The value of "location" header is "javascript:alert()" then javascript code "alert()" gets executed by
the browser.
• Mitigation: Browser should not be allowed to execute the javascript code in the context of the
domain from where the navigation was initiated.
• Code Url: http://rakeshmane.com/secret.html
• Demo Video
Thanks to Rakesh Mane for discovering UXSS
13. UXSS / SOP Bypass
Stealing Credentials
• A server-redirect combined with a data-uri end up bypassing the Same Origin Policy, which leads t
o all kind of vulnerabilities like stealing user passwords in plain-text (thanks to the password mana
ger), grabbing cookies, spoofing the content and referrer, etc.
• The rule of thumb when discussing defending against UXSS is have everything patched and up to
date.
14. Demo For Same Origin Policy Bypass
CVE-2019-14962: SOP Bypass via URL Spoofing
• A SOP bypass is when a javascript present in the origin like example.com is able to access proper
ties of webpage on another origin http://example2.com such as cookies, location, response, etc.
• It occurs in the browser when window.open() opens a new child tab and rewrites in the innerHTML
to gather credentials using fake pop up alert.
• Mitigation: By keeping a check on creating model regarding SOP and also by decreasing the comp
lexity of JavaScript and DOM.
• Code Url: https://justmorpheus.000webhostapp.com/null/sopbypass.html
• Demo Video
15. Spoofing Attacks
Introduction to Spoofing Attacks
• Google security team themselves state that "We recognize that the address bar is the only reliable
security indicator in modern browsers" .
• Initialize and Interrupt” technique.
• Load and Overwrite Race Conditions
• Loading Loop
• Spoofing Using RTL Characters
• Content Spoofing via Popup
16. Demo For Address Bar Spoofing
CVE-2019–12278 : Address Bar Spoofing Using RTL Characters
• Opera android suffers from address bar spoofing vulnerability. Characters from languages are suc
h as Persian, Arabic are displayed in right to left order, usage prescribed is Unicode Bidirectional A
lgorithm. Unicode characters such as U+08FF, U+FB50, etc are rendered from right to left so it ca
n be used to spoof the URL.
• Mitigation: All these URLs must be rendered in similar fashion i.e. left to right. Check the RFC for
more details.
• Malicious URL:
http://3.17.56.213/%EF%B9%B0/https://google.com/links
http:// اردو/ google.com/links
• Demo/Writeup: Opera Android Address Bar Spoofing: CVE-2019–12278
18. Demo For Content Spoofing
Content Spoofing and Malicious File Download
• This issue occurs when an attacker is able to spoof dialog boxes as well as partial content. This
can lead to phishing attacks. Some browsers also fail to respond.
• The attacker is able to control partial content via jsalert() and thus any innocent victim can enter
their credentials since alert is on the genuine site rather than appearing on parent domain.
• Mitigation: Webview fails to overwrite the WebChromeClient.onJsAlert() responsible for displaying
alert box and this way webview is not able to switch the alert function to the correct tab.
• Demo URL: https://justmorpheus.000webhostapp.com/day3/content2.html
• Demo Video
19. Demo For URL Bar Spoofing in Safari
CVE-2019-8727 :Spoofing in Safari for iOS 12.3 and iOS 13 Beta
• Due to insecure design principles, safari failed to handle setTimeout and setInterval methods, th
us causing a delay in the loading webpage for the non-existent port.
• Code:
<script>
setTimeout(function(){ function spoof()
{ window.location.assign(“https://www.bankofamerica.com:8090");}
setInterval(spoof(),50000); }, 100);
</script>
• Mitigation: By resetting the document object model like by displaying a white page, or showing a p
rogress bar or completely redirecting to the genuine page.
• Code Url: https://justmorpheus.000webhostapp.com/null/boa.html
• Demo/Writeup: URL Bar Spoofing Flaw in Safari for iOS 12.3 and iOS 13 Beta | CVE-2019-8727
