0x00 background
Well, long short asked me to write an article on browser security, so I appeared, please don't speak out, this scum technology.
This article draws on Kcon and hitcon PPT.
0x01 Introduction
The question about browser security is the size of the battlefield. If there are many features, there will be as many attack surfaces as possible. Buffer overflow or something is highly handsome, so be a cool. Don't look at it.
What are functions, such as functions added for user experience, such as history, browser plug-ins, debuggers .......... for example, problems caused by browser functions, forgery of CSS, DOM with high permissions, and various protocols in the address bar.
0x02 How to learn
To be honest, browser security is quite unpopular. Don't expect that there will be a lot of goods to write books for this. Only some links can be lost:
Http://code.google.com/p/browsersec/
Http://www.unicode.org/reports/tr36/
Http://ha.ckers.org/weird/
Http://kotowicz.net/absolute/
The main thing is to look at your own complexity. As long as you can see that my sister-in-law paper can be associated with XSS, you will have no negative impact.
0x03 Basics Attack surface: browser itself
Dangerous DOM operation such as about IE Page Spoofing Vulnerability
CSS spoofing such as disguising the status bar through CSS ..
Protocol such as Safari location contamination vulnerability in the address bar: http://www.bkjia.com/Article/201302/189416.html
Extended Functions
Plug-in security such as proud browser breakthrough in the local region (browser plug-in risk)
History such as cheetah browser storage xss (local region permission)
Extended functions ....................
Vulnerability exploitation command execution:
Privileged API: 360 security Browser Remote Code Execution Vulnerability
Buffer overflow: do not care about the http://www.bkjia.com/Article/201308/238149.html charge
Information Detection:
Test history
Local file
0x04 milk sugar found
The essence of a browser is to make it easier for users to browse the Web page. Therefore, our attack code eventually exists with the web page. to attack a browser, we need to see how the browser handles our code, firefox's firbug once experienced browser command execution. The cause of the vulnerability was that firbug was not strictly filtered when extracting webpage content, so that code can be executed by calling privileged APIs in privileged regions.
Such As: Chrome
First, let's determine a breakthrough point. We focus on the Google plug-in.
We have determined a plug-in, and we have found it extracts webpage content.
The plug-in extracts the title and Url to construct a page.
POC:
"> <Iframe src = http://drops.wooyun.org> </iframe> <
Google was aware of the security issues of plug-ins and has taken measures to prevent them. Therefore, it is difficult to execute js in this privileged area. Here is just an example to illustrate the harm caused by browser processing webpage content.
For example, problems caused by historical records.
Such As: 360 browser
Enter URL
Http://hao.360.cn/# "> <script> alert (document. domain); </script>
View historical records
It also captures webpage content, and there are many security problems, such as the debugger.
I am still using it, so I will not talk about it.
0x05 sugar and amber
To find vulnerabilities, pay attention to every point in the browser.
General Command Execution Method
Determine the privileged Domain --> Search for the XSS of the privileged Domain --> View the callable API --> write exp --> attack
Let's go through this process.
For example, we want to attack the proud browser.
Confirm the privileged domain
This is a privileged area of maxcompute. First, let's determine how the webpage is crawled.
Click the plus sign and we can see this. We can determine that it extracts the frequently accessed title.
Assume that it does not filter the title. We construct a webpage
POC:
<Title> <script> alert (document. domain); </script> </title>
Now let's take a simple look at what highly-authorized APIs can be called.
By reviewing these APIs, we can extract highly-authorized APIs for attacks.
0x06 vulnerabilities?
CVE-2002-0189
CVE-2002-1187
CVE-2002-1688
-CVE-2003-1328 (MS03-004)
-CVE-2005-0054 (MS05-014)
-CVE-2006-3643 (MS06-044)
End with 0x07
Well .... In fact, there are still some important points. Let's talk about it in the second article. It's so tired that I went to bed. I just want to die in another day.