tldr; Webpages can sometimes interact with Chrome addons and that might be dangerous, more on that later. Meanwhile, a warmup - trick to detect addons you have installed.
While all of us are used to http / https URI Schemes, current web applications sometimes use other schemes including:
While all of us are used to http / https URI Schemes, current web applications sometimes use other schemes including:
- javascript: URIs bypassing XSS filters for years
- data: URIs that is a common source of new XSS vulnerabilities
- view-source: that may be used for UI-redressing attacks
- file: that reads your local files
Tough questions
Throughout the years, there have always been questions on how documents from these schemes are supposed to be isolated from each other (think of it like a 2nd order Same Origin Policy). Typical questions include:
- Can XMLHttpRequest from http:// document load a file:// URL? And the other way around?
- Can document from https:// load script from http://? Should we display SSL warning then?
- Can http:// document have an iframe with view-source: src?
- Can data: URI access the DOM of the calling http:// document?
- Can file:// URL access a file:// from upper directory (it's not so obvious)
- What about:blank?
- How to handle 30x redirections to each of those schemes?
- What about passing Referer header across schemes?
- Can I window.open() across schemes? Would window.postMessage() work?
- and many, many more issues
In general, all this questions come down to:
- How should we isolate the schemes from each other?
- What information is allowed to leak between scheme boundaries?
Meet chrome-extension://
Google Chrome addons are packaged pieces of HTML(5) + Javascript applications. They may:
- add buttons to the interface
- launch background tasks
- interact with pages you browse
- ...
All extension resources are loaded from dedicated chrome-extension:// URLs . Each extension has a global unique identifier. For example,
chrome-extension://oadboiipflhobonjjffjbfekfjcgkhco/help.html is URL representing help.html page from Google Chrome to Phone (you can try it, if you have this extension enabled).
Extension interact with web pages that you visit and have access to their DOM, but the Javascript execution context is separated (they cannot call each other Javascript code - and for a good reason).
However even in this separation model there is still place for page <-> addon cooperation. Malicious HTTP pages might interact with addons in various ways. One simple example is addon enumeration.
Finding your addons one by one
With a little Javascript code I can easily test if you're using a certain Chrome addon. Give me a list of most popular extensions and I'll test all of them in milliseconds. Why would I want that as an attacker?- to fingerprint your browser (ad networks love this)
- to start attack against a certain known vulnerable addon (wait for the next post for this ;) )
See demo of Chrome addons fingerprinting. (src here)
Update: TIL the technique was already published by @albinowax. Cool!
This is just one simple example of punching the separation layer between addons and webpages. There are more coming. Stay tuned.
How?
The trick is dead simple:var detect = function(base, if_installed, if_not_installed) {
var s = document.createElement('script');
s.onerror = if_not_installed;
s.onload = if_installed;
document.body.appendChild(s);
s.src = base + '/manifest.json';
}
detect('chrome-extension://' + addon_id_youre_after, function() {alert('boom!');});
Every addon has a manifest.json file. In http[s]:// page you can try to load a script cross-scheme from chrome-extension:// URL, in this case - the manifest file. You just need the addon unique id to put into URL. If the extension is installed, manifest will load and onload event will fire. If not - onerror event is there for you.Update: TIL the technique was already published by @albinowax. Cool!
This is just one simple example of punching the separation layer between addons and webpages. There are more coming. Stay tuned.
Posts
