Browser security (I)

0x00 background

Well, long short asked me to write an article on browser security, so I appeared, please don't speak out, this scum technology.

This article draws on Kcon and hitcon PPT.

 

0x01 Introduction

The question about browser security is the size of the battlefield. If there are many features, there will be as many attack surfaces as possible. Buffer overflow or something is highly handsome, so be a cool. Don't look at it.

What are functions, such as functions added for user experience, such as history, browser plug-ins, debuggers .......... for example, problems caused by browser functions, forgery of CSS, DOM with high permissions, and various protocols in the address bar.

0x02 How to learn

To be honest, browser security is quite unpopular. Don't expect that there will be a lot of goods to write books for this. Only some links can be lost:

Http://code.google.com/p/browsersec/

Http://www.unicode.org/reports/tr36/

Http://ha.ckers.org/weird/

Http://kotowicz.net/absolute/

The main thing is to look at your own complexity. As long as you can see that my sister-in-law paper can be associated with XSS, you will have no negative impact.

0x03 Basics Attack surface: browser itself

Dangerous DOM operation such as about IE Page Spoofing Vulnerability

CSS spoofing such as disguising the status bar through CSS ..

Protocol such as Safari location contamination vulnerability in the address bar: http://www.bkjia.com/Article/201302/189416.html

Extended Functions

Plug-in security such as proud browser breakthrough in the local region (browser plug-in risk)

History such as cheetah browser storage xss (local region permission)

Extended functions ....................

Vulnerability exploitation command execution:

Privileged API: 360 security Browser Remote Code Execution Vulnerability

Buffer overflow: do not care about the http://www.bkjia.com/Article/201308/238149.html charge

Information Detection:

Test history

Local file

0x04 milk sugar found

The essence of a browser is to make it easier for users to browse the Web page. Therefore, our attack code eventually exists with the web page. to attack a browser, we need to see how the browser handles our code, firefox's firbug once experienced browser command execution. The cause of the vulnerability was that firbug was not strictly filtered when extracting webpage content, so that code can be executed by calling privileged APIs in privileged regions.

Such As: Chrome

First, let's determine a breakthrough point. We focus on the Google plug-in.

We have determined a plug-in, and we have found it extracts webpage content.

The plug-in extracts the title and Url to construct a page.

POC:

"> <Iframe src = http://drops.wooyun.org> </iframe> <

Google was aware of the security issues of plug-ins and has taken measures to prevent them. Therefore, it is difficult to execute js in this privileged area. Here is just an example to illustrate the harm caused by browser processing webpage content.

For example, problems caused by historical records.

Such As: 360 browser

Enter URL
Http://hao.360.cn/# "> <script> alert (document. domain); </script>

View historical records

It also captures webpage content, and there are many security problems, such as the debugger.

I am still using it, so I will not talk about it.

0x05 sugar and amber

To find vulnerabilities, pay attention to every point in the browser.

General Command Execution Method

Determine the privileged Domain --> Search for the XSS of the privileged Domain --> View the callable API --> write exp --> attack

Let's go through this process.

For example, we want to attack the proud browser.

Confirm the privileged domain

This is a privileged area of maxcompute. First, let's determine how the webpage is crawled.

Click the plus sign and we can see this. We can determine that it extracts the frequently accessed title.

Assume that it does not filter the title. We construct a webpage

POC:

<Title> <script> alert (document. domain); </script> </title>
 

Now let's take a simple look at what highly-authorized APIs can be called.

By reviewing these APIs, we can extract highly-authorized APIs for attacks.

0x06 vulnerabilities?

CVE-2002-0189

CVE-2002-1187

CVE-2002-1688

-CVE-2003-1328 (MS03-004)

-CVE-2005-0054 (MS05-014)

-CVE-2006-3643 (MS06-044)

End with 0x07

Well .... In fact, there are still some important points. Let's talk about it in the second article. It's so tired that I went to bed. I just want to die in another day.