Attacking Browser Extensions Nicolas Golubovic Master Thesis. May 03, 2016. Advisor: Dr.-Ing. Mario Heiderich Chair for Network and Data Security – Prof. Dr. Jörg Schwenk i Abstract Browser extensions are extremely profitable targets for attackers due to their popularity and privileges. This thesis examines both old and new attack techniques for Mozilla Firefox and Google Chrome to estimate the effective state of security in modern extension systems. Previous research mostly focuses either on one technique or one browser and therefore lacks the comprehensiveness of this work. By manually evaluating extensions and presenting them in case studies, this thesis shows that all introduced attacks have real-world applications. Additionally, a test suite has been developed to allow side-effect-free black-box testing of extension systems. Overall, this thesis shows that the present mitigations are not sufficient to stop dedicated attackers. ii Eidesstattliche Erklärung Ich erkläre, dass ich keine Arbeit in gleicher oder ähnlicher Fassung bereits für eine andere Prüfung an der Ruhr-Universität Bochum oder einer anderen Hochschule eingereicht habe. Ich versichere, dass ich diese Arbeit selbstständig verfasst und keine anderen als die angegebenen Quellen benutzt habe. Die Stellen, die anderen Quellen dem Wortlaut oder dem Sinn nach entnommen sind, habe ich unter Angabe der Quellen kenntlich gemacht. Dies gilt sinngemäß auch für verwendete Zeichnungen, Skizzen, bildliche Darstellungen und dergleichen. Ich versichere auch, dass die von mir eingereichte schriftliche Version mit der digitalen Version überein- stimmt. Ich erkläre mich damit einverstanden, dass die digitale Version dieser Arbeit zwecks Plagiatsprüfung verwendet wird. Ort, Datum Unterschrift Contents 1. Introduction 1 1.1. Threat Model . .2 1.2. Organization . .2 2. Related Work 3 2.1. Attacks on Extensions . .3 2.2. Attacks from Extensions . .4 3. Fundamentals 6 3.1. HyperText Markup Language . .6 3.2. Extensible Markup Language . .8 3.2.1. Extensible HyperText Markup Language . .9 3.2.2. XML User Interface Language . .9 3.2.3. XML Binding Language . 10 3.3. Document Object Model . 11 3.4. Cascading Style Sheets . 11 3.5. JavaScript . 13 3.6. Same-Origin Policy . 15 3.6.1. Security Contexts . 15 3.7. Cross-Site Scripting . 16 3.7.1. Cross-Context Scripting . 17 3.8. Clickjacking . 17 3.9. Browsers . 18 3.9.1. Mozilla Firefox . 18 3.9.2. Google Chrome . 19 3.9.3. Other Browsers . 19 4. Extension Architectures 21 4.1. Extension Types . 21 4.1.1. Mozilla Firefox . 21 4.1.2. Google Chrome . 24 4.2. Distribution Models . 25 4.2.1. Mozilla Firefox . 25 4.2.2. Google Chrome . 26 4.3. Security Concepts . 27 4.3.1. Gecko Concepts . 27 4.3.2. Chrome Concepts . 28 4.4. Security Model . 29 4.4.1. Mozilla Firefox . 29 4.4.2. Google Chrome . 30 Contents iv 5. Test Suite 33 5.1. Architecture . 33 5.2. Methodology . 34 5.3. Results . 34 5.3.1. Firefox . 35 5.3.2. Chrome . 36 6. Attacks on Extensions 38 6.1. Fingerprinting . 38 6.1.1. Resource Leaks . 38 6.1.2. Side Channels . 42 6.2. Cross-Context Scripting . 44 6.2.1. XCS in Mozilla Firefox . 44 6.2.2. XCS in Google Chrome . 46 6.3. SQL Injection . 52 6.3.1. SQL Injection in Mozilla Firefox . 52 6.3.2. SQL Injection in Google Chrome . 54 6.4. Clickjacking . 54 6.4.1. Bait and Switch . 55 6.5. Browser Vulnerabilities . 56 6.5.1. Arbitrary File Write . 56 7. Attacks from Extensions 59 7.1. Mozilla Firefox . 59 7.1.1. Privileged Attacks . 59 7.1.2. Privilege Escalation . 61 7.1.3. Misdirection . 62 7.1.4. Data Leaks . 64 7.2. Google Chrome . 67 7.2.1. Privileged Attacks . 67 7.2.2. Privilege Escalation . 68 8. Conclusion 71 8.1. Discussion . 71 8.2. Future Research . 72 8.3. Final Conclusion . 72 A. Appendix 74 A.1. Extension CSP Bypass . 74 List of Figures 76 List of Tables 77 List of Listings 78 List of Acronyms 80 Contents v Bibliography 82 1. Introduction Since their introduction in Internet Explorer 41, browser extensions have risen to extreme popularity. With roughly 20 million users on addons.mozilla.com, extensions like AdBlock Plus are widely used all over the world. This popularity is not unique to Mozilla Firefox but extends to all other browsers with a considerable market share. There is not a single widely used browser without an extension system. Most notably, Google Chrome, currently leading the global browser usage statistics2, features a wide range of extensions in its associated Chrome Web Store, some of them amassing over 10 million active users. Many browser additions may not even be recognized as extensions by users. For example, depending on the browser, themes as well as additional languages may just be extensions in disguise. Their ubiquitous use, however, does not exclusively lead to benefits. Extensions have always been the source of many browser stability and security issues. While their functionality may attract users, attackers are equally attracted to the privileges they require to work properly. In contrast to websites, hijacked extensions can be used to access internal browser Application Programming Interfaces (APIs) and potentially even execute code on the victim’s host system. Both options can be highly restricted through permission systems or other mitigations but an attacker may still be able to access multiple domains and, hence, multiply the impact of a regular web attack. As severe as these attacks may be, vendors can only indirectly influence them since many extensions actually need this access. Furthermore, few extensions are written by professionals, leading to a situation where security best practices may not be followed at all times. The sheer number of extensions further aids adversaries in finding viable targets for an attack. Thus, vulnerabilities are more likely to be found in extensions than in the browser core itself, as the latter is subject to a full development process including security reviews. This, in turn, leads to a situation where a user’s extensions are the easiest possible target for an adversary attempting to do harm. Attacks on extensions have therefore always been subject to both academic and non-academic research. Finding and documenting attack techniques does not only help create awareness but also leads to fixes from authors of vulnerable extensions and better mitigations from browser vendors. Browser vendors are in an especially tough spot: Each major change to the underlying extension system requires most authors to update their extensions – an endeavor which can take multiple years given the number of published extensions. Moreover, the overall security can only be influenced indirectly by enforcing the use of safe APIs and warning developers from potential hazards. Thus, each major change has to be tested very thoughtfully, requiring a good understanding of the threats to such an extension system. External research has, for example, influenced the modernization of Chrome’s extension system, leading to the mandatory use of Content Security Policy (CSP). This thesis describes old and new attacks on extensions of Mozilla Firefox and Google Chrome. Since extension systems are constantly evolving, this thesis re-evaluates old attacks and determines their impact in presence of modern mitigations. All techniques have been generalized so that they can be adapted to a wide range of possible bugs. In order to show the real-world applicability of the attacks, this thesis contains case studies for most bug classes. Furthermore, in addition to attacks on extensions, this thesis also examines 1MSDN. About Browser Extensions. URL: https://msdn.microsoft.com/en-us/library/aa753620(v=vs. 85).aspx. 2StatCounter. Top 5 Desktop Browsers from Aug 2012 to Sept 2015. Sept. 2015. URL: http://gs.statcounter.com/ #browser-ww-monthly-201511-201601. CHAPTER 1. INTRODUCTION 2 attacks from extensions. There are two reasons for this: First, estimating the impact of vulnerabilities in lesser privileged extensions is extremely hard without knowing about the potential dangers of follow-up attacks. Second, using lesser known extension types may be a viable attack in itself. Luring a victim into installing a language package might be much easier than attempting to make a regular extension look harmless. A test suite accompanies this thesis. It mainly tests the browser’s underlying extension system and can be used.