Logical Vulnerabilities in Web Browsers Xiaoyin Liu Independent Security Researcher Moscow, 18 June 2019 1 About Me • Independent bug bounty hunter • Graduated from University of North Carolina at Chapel Hill, United States • Recognized by Microsoft, Google, Tor Project, Alibaba and more • Areas of interest: Windows applications, web browsers 2 Outline • Two bypasses of a fixed fingerprinting attack in Chrome • Microsoft Edge CSP bypass (CVE-2017-0135) • Brave Browser script blocker bypass (CVE-2018-1000815) • Tor Browser UI language fingerprinting vulnerability • Takeaways 3 Browser Fingerprinting Issues • Fingerprinting is privacy issues • Some browser vendors, like Tor Browser, are more interested in fixing fingerprinting issues than Chrome, Firefox, Edge, etc. • Examples: HSTS super cookie, CSS Visited, etc. 4 Sniffly Attack • Discovered by Yan Zhu in 2015 • Abusing HSTS/301 redirect and CSP to probe user’s browsing history • CVE-2016-1617 5 HTTP Strict Transport Security (HSTS) • A browser security feature that enforces HTTPS for all connections for particular domains • Strict-Transport-Security: max-age=604800 6 Content Security Policy (CSP) • Security feature to mitigate XSS attacks • Content-Security-Policy: script-src 'self' www.google.com; img-src 'self'; default-src 'none’ • CSP is also used to enable other security features, like Upgrade Insecure Requests 7 How Sniffly Works • Attacker embeds an image tag <img src=http://example.com> • Attacker knows that example.com is either a HSTS domain or 301 redirects to HTTPS • If a visitor has never visited http://example.com: https://github.com/diracdeltas/sniffly 8 • If a visitor has visited http://example.com: 9 • If we can time how long it takes to receive the redirect response, we can distinguish if it’s an in-browser redirect or a network redirect • Use CSP to allow http requests but block https requests: • Content-Security-Policy: img-src http://example.com 10 • If the error event is triggered within a threshold (10ms), it’s an internal redirect. Then this URL has been visited before; otherwise, it has not been visited. 11 The Code Snippet of the Patch https://github.com/chromium/chromium/commit/568075bbc5d16239a5cbdeb579a8768f9836f13e 12 • Content-Security-Policy: img-src http://example.com now matches both http://example.com and https://example.com 13 Bypassing the Fix • The code only considers the protocol, not port • Consider this CSP rule: Content-Security-Policy: img-src http://example.com:80 • Does it match https://example.com? 14 • It turns out this CSP matches http://example.com:80 and https://example.com:80 • It doesn’t match https://example.com:443 • So we can exploit Sniffly again! • CVE-2016-5137: https://bugs.chromium.org/p/chromium/issues/detail?id=625945 • CVE-2016-9071: https://bugzilla.mozilla.org/show_bug.cgi?id=1285003 • $1000 bounty 15 Patch https://github.com/chromium/chromium/commit/e6d181417ea462ac221d768c960a21018266a4a8 16 Change in CSP Specification https://github.com/w3c/webappsec-csp/commit/22d08b990290e49f5a666fad08de16d75bb369e7 17 Second Bypass • So far both attacks use CSP to block the redirect • Are there other ways to achieve the same? • Use Fetch API 18 Fetch API 19 Fetch API 20 Fetch API • Reported in 2016. Not updated for more than 2 years. • Silently fixed in 2018. • In current Chrome, “no-cors” can’t be used together with “manual” redirect 21 Microsoft Edge CSP Bypass Vulnerability 22 CVE-2017-0135 • Inspired by paper “Abusing Internet Explorer 8's XSS Filters”, written by Eduardo Vela Nava and David Lindsay • How IE XSS Filter works: it checks if any URL parameter seems to be a XSS payload and then checks if the parameter is contained in HTML response • http://example.com/index.php?id=<script>alert(1)</script> • If HTML body contains <script>alert(1)</script>, then it’s changed to <sc#ipt>alert(1)</script> 23 CVE-2017-0135 • What if it’s not a reflected XSS, but an expected JS code • E.g. example.com/index.php?<script src="jquery.js"></script> • <sc#ipt src="jquery.js"></script> • Then jquery.js won’t load • Seems harmless? 24 CVE-2017-0135 • Abuse XSS Filter to disable CSP • <meta http-equiv="Content-Security-Policy" content=“script-src ‘self’"> • example.com/xss.html?<meta http-equiv=”Content-Security- Policy” content=”script-src ‘self’”> 25 CVE-2017-0135 26 CVE-2017-0135 27 CVE-2017-0135 • Reported on December 2, 2016. Fixed on March 14, 2017. • Bounty: $1500 • Microsoft removed XSS Filter in Edge in October 2018 Update 28 Brave Browser Script Blocker Bypass Vulnerability 29 Brave Browser • Brave Browser is a free and open sourced browser. • Brave Browser used to be based on Muon, which was based on Electron. It moved to a Chromium-based browser in late 2018. • Brave Browser has built-in HTTPS Everywhere and JavaScript blocker. 30 Brave Browser Script Blocker Bypass • This vulnerability existed in the old Muon-based codebase. • This bypass abuses the fact that only external scripts are blocked, and inline scripts are not blocked. • Inspired by Tor Browser’s NoScript bypass vulnerability (CVE-2018- 16983) • Discovered in September 2018 by David Albert and me independently, and fixed in October 2018. • CVE-2018-1000815 • Bounty: $1000 31 Brave Browser Script Blocker Bypass 32 Brave Browser Script Blocker Bypass 33 Brave Browser Script Blocker Bypass 34 Tor Browser UI Language Fingerprinting Vulnerability 35 Tor Browser • Tor Browser takes privacy and security very seriously • Tor Browser hides user’s IP address and tries to mitigate as many fingerprinting attacks as possible • E.g. Time zones, UI language, local ports shouldn’t be discoverable by websites 36 Tor Browser UI Language Detection Vulnerability • When you open a non-English Tor Browser and visit any website for the first time, it asks if you want websites to know your UI language. 37 Tor Browser UI Language Detection Vulnerability • Even if you choose “don’t send”, your UI language is still detectable • The trick is to use “button” with default text: <input type="submit"> • Different languages have different default text • They have different width, which can be detected in JavaScript: getComputedStyle(button_element, null).getPropertyValue("width"); 38 Tor Browser UI Language Detection Vulnerability 39 Tor Browser UI Language Detection Vulnerability • Reported in October 2017 and fixed in August 2018. • https://hackerone.com/reports/282748 (already disclosed) • CVE-2019-12383 • Bounty: $200 40 Bypass of the First Fix • The FTP directory UI is localized in Tor Browser • If ftp://example.com/poc/poc.html frames ftp://example.com/poc/, poc.html can read entire HTML source of ftp://example.com/poc/. 41 Bypass of the First Fix 42 Bypass of the First Fix • Reported in May 2019. Not fixed yet. • https://trac.torproject.org/projects/tor/ticket/30427 • Bounty: $300 43 Conclusion 44 Takeaways • Reading other researchers' bug reports, papers, and the patches really help you find new vulnerabilities. • Looking for corner cases that developers may neglect to handle correctly (e.g. explicit port, inline scripts, etc). • Security feature bypass is an interesting attack surface to explore. 45 References • https://chromium.googlesource.com/chromium/src/+/master/do cs/security/faq.md • https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf • https://bugs.chromium.org/p/chromium/issues/detail?id=544765 • https://bugs.chromium.org/p/chromium/issues/detail?id=625945 • https://fetch.spec.whatwg.org/ • http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf • https://blogs.windows.com/windowsexperience/2018/07/25/ann ouncing-windows-10-insider-preview-build-17723-and-build-18204/ 46 References • https://twitter.com/Zerodium/status/1039127214602641409 • https://github.com/brave/browser-laptop/issues/15232 47 Q & A • Thank you for your listening! 48 .