Skip to content

Commit

Permalink
GITBOOK-4375: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Jul 31, 2024
1 parent fcd8e6f commit f59ff3e
Showing 1 changed file with 74 additions and 4 deletions.
78 changes: 74 additions & 4 deletions pentesting-web/browser-extension-pentesting-methodology/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Browser Extension Pentesting Methodology

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down Expand Up @@ -459,6 +459,20 @@ chrome.runtime.sendMessage(extensionId, ...
Where it's needed to mention the **extension ID**.
### Native Messaging
It's possible for the background scripts to communicate with binaries inside the system, which might be **prone to critical vulnerabilities such as RCEs** if this communication is not properly secured. [More on this later](./#native-messaging).
```javascript
chrome.runtime.sendNativeMessage(
'com.my_company.my_application',
{text: 'Hello'},
function (response) {
console.log('Received ' + response);
}
);
```
## Web **↔︎** Content Script Communication
The environments where **content scripts** operate and where the host pages exist are **separated** from one another, ensuring **isolation**. Despite this isolation, both have the ability to interact with the page's **Document Object Model (DOM)**, a shared resource. For the host page to engage in communication with the **content script**, or indirectly with the extension through the content script, it is required to utilize the **DOM** that is accessible by both parties as the communication channel.
Expand Down Expand Up @@ -575,6 +589,49 @@ An important consideration is that in scenarios where multiple pages are set to
When crafting new extensions, the preference should be towards promises as opposed to callbacks. Concerning the use of callbacks, the `sendResponse()` function is considered valid only if it's executed directly within the synchronous context, or if the event handler indicates an asynchronous operation by returning `true`. Should none of the handlers return `true` or if the `sendResponse()` function is removed from memory (garbage-collected), the callback associated with the `sendMessage()` function will be triggered by default.
## Native Messaging
Browser extensions also allow to communicate with **binaries in the system via stdin**. The application must install a json indicating so in a json like:
```json
{
"name": "com.my_company.my_application",
"description": "My Application",
"path": "C:\\Program Files\\My Application\\chrome_native_messaging_host.exe",
"type": "stdio",
"allowed_origins": ["chrome-extension://knldjmfmopnpolahpmmgbagdohdnhkik/"]
}
```
Where the `name` is the string passed to [`runtime.connectNative()`](https://developer.chrome.com/docs/extensions/reference/api/runtime#method-connectNative) or [`runtime.sendNativeMessage()`](https://developer.chrome.com/docs/extensions/reference/api/runtime#method-sendNativeMessage) to communicate with the application from the background scripts of the browser extension. The `path` is the path to the binary, there is only 1 valid `type` which is stdio (use stdin and stdout) and the `allowed_origins` indicate the extensions that can access it (and can't have wildcard).
Chrome/Chromium will search for this json in some windows registry and some paths in macOS and Linux (more info in the [**docs**](https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging)).
{% hint style="success" %}
The browser extension also needs the `nativeMessaing` permission declared in order to be able to use this communication.
{% endhint %}
This is how it looks like some background script code sending messages to a native application:
```javascript
chrome.runtime.sendNativeMessage(
'com.my_company.my_application',
{text: 'Hello'},
function (response) {
console.log('Received ' + response);
}
);
```
In [**this blog post**](https://spaceraccoon.dev/universal-code-execution-browser-extensions/), a vulnerable pattern abusing native messages is proposed:
1. Browser extension has a wildcard pattern for content script.
2. Content script passes `postMessage` messages to the background script using `sendMessage`.
3. Background script passes the message to native application using `sendNativeMessage`.
4. Native application handles the message dangerously, leading to code execution.
And inside of it an example of **going from any page to RCE abusing a browser extension is explained**.
## Sensitive Information in Memory/Code/Clipboard
If a Browser Extension stores **sensitive information inside it's memory**, this could be **dumped** (specially in Windows machines) and **searched** for this information.
Expand Down Expand Up @@ -641,6 +698,17 @@ Go to the Chrome Web Store and download the extension. The file will have a `.cr

Open Chrome and go to `chrome://extensions/`. Enable "Developer mode" at the top right. Click on "Load unpacked extension...". Navigate to the directory of your extension. This doesn't download the source code, but it's useful for viewing and modifying the code of an already downloaded or developed extension.

## Chrome extension manifest dataset

In order to try to spot vulnerable browser extensions you could use the[https://github.com/palant/chrome-extension-manifests-dataset](https://github.com/palant/chrome-extension-manifests-dataset) and check their manifest files for potentially vulnerable signs. For example to check for extensions with more than 25000 users, `content_scripts` and the permission `nativeMessaing`:

{% code overflow="wrap" %}
```bash
# Query example from https://spaceraccoon.dev/universal-code-execution-browser-extensions/
node query.js -f "metadata.user_count > 250000" "manifest.content_scripts?.length > 0 && manifest.permissions?.includes('nativeMessaging')"
```
{% endcode %}

## Security Audit Checklist

Even though Browser Extensions have a **limited attack surface**, some of them might contain **vulnerabilities** or **potential hardening improvements**. The following ones are the most common ones:
Expand All @@ -656,8 +724,10 @@ Even though Browser Extensions have a **limited attack surface**, some of them m
* [ ] If Post Messages are used, check for [**Post Message vulnerabilities**](../postmessage-vulnerabilities/)**.**
* [ ] If the **Content Script access DOM details**, check that they **aren't introducing a XSS** if they get **modified** by the web
* [ ] Make a special emphasis if this communication is also involved in the **Content Script -> Background script communication**
* [ ] If the background script is communicating via **native messaging** check the communication is secure and sanitized
* [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **code**
* [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **memory**
* [ ] **Sensitive information shouldn't be stored** inside the **file system unprotected**

## Tools

Expand Down Expand Up @@ -704,8 +774,8 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu
* [https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0](https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down

0 comments on commit f59ff3e

Please sign in to comment.