2. What & Who This presentation demonstrates strength of the Mozilla platform and how some of the features could be Mis-Used by malicious users. This presentation is intended to dispel a common Myth FIREFOX is SECURE
3. Firefox Browser of the choice for millions Multi Platform Modular and Scalable ! Pluggable Extension Code ! Browser of my Choice
4. Agenda Introduction Mozilla Platform Attacking Firefox Malicious Extensions XCS Some basic points to watch…. That’s All Folks …
6. Extension Security ! Mozilla extension security model is non-existent Extension code is fully trusted by Firefox Vulnerability in extension code might result in full system compromise No security boundaries between extensions An extension can silently modify/alter another extension
7. Mozilla Platform Chrome: It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform
8. Mozilla Platform XUL (pronounced "zool") : Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. <?xml version="1.0"?> <?xml-stylesheethref="chrome://global/skin/" type="text/css"?> <window id="vbox example" title="Example 3...." xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <vbox> <button id="yes" label="Yes"/> <button id="no" label="No"/> <button id="maybe" label="Maybe"/> </vbox> </window>
9. Mozilla Platform XBL: XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements. scrollbar { -moz-binding: url('somefile.xml#binding1'); } -- “binding1” is the id of the binding
10. Mozilla Platform XPCOM: Cross platform component model from Mozilla. Nerve center of the Mozilla platform. XPCOM has some Similarity to CORBA and Microsoft COM.
13. Attacking Firefox ! Now that we have seen the basic Architecture now for some Fun
14. Extensions Extensions Add functionality to Firefox, Thunderbird and Sea-monkey. Sample Files inside a XPI file exampleExt.xpi: /install.rdf /components/* /components/cmdline.js /defaults/ /defaults/preferences/*.js /plugins/* /chrome.manifest /chrome/icons/default/* /chrome/ /chrome/content/
15. Malicious Extensions We will build a Malicious Extension which will Log all Key Strokes and Send Remotely Execute Native Code Crack Stored passwords Add malicious site to No Script. DEMO
16. Interesting Finds In Course of this presentation I found some interesting finds some have been previously discussed but here they are again !
28. What Should a END User Mind Suspicious single file(s) in extension folder. XPI are Archives can be un-Zipped and checked for any packaged Executables Check the install.rdf for common pitfalls mainly <em:hidden> Verify chrome.manifest does not point to other extension folders as it can overwrite functionality.
29. What Should a Developer Do. That’s a whole Presentation By itself Don’t Bypass Wrappers Don’t Trust content From the Un-Trusted Domain. Don’t use eval() Follow this link : https://developer.mozilla.org/en/Security_best_practices_in_extensions
31. Last Words We discussed Some Ways subverting the Mozilla Platform This list is not by any means exhaustive There are some strategies like Sandboxes which can be bypassed New features like themes open new avenues ! HTML 5 would definitely be a point to consider (LavaKumar Speech) Last Mozilla is a secure platform but can easily be exploited …. So some care should be considered.