We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Breaking Microsoft Edge Extensions Security Policies

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
6
 Cite
 Share
 Related Material
 Download Purchase
Logo of Chaos Computer Club e.V.Chaos Computer Club e.V.
 Mittal, Nikhil

Formal Metadata

Title
Breaking Microsoft Edge Extensions Security Policies
Title of Series
Number of Parts
254
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Browsers are the ones who handle our sensitive information. We entirely rely on them to protect our privacy, that’s something blindly trusting on a piece of software to protect us. Almost every one of us uses browser extensions on daily life, for example, ad-block plus, Grammarly, LastPass, etc. But what is the reality when we talk about security of browser extensions. Every browser extensions installed with specific permissions, the most critical one is host access permission which defines on which particular domains your browser extension can read/write data. You might already notice the sensitivity of host permissions since a little mistake in the implementation flow would lead to a massive security/privacy violation. You can think of this way when you install an extension that has permission to execute JavaScript code on https://www.bing.com, but indeed, it allows javaScript code execution on https://mail.google.com. Which means this extension can also read your google mail, and this violates user privacy and trust. During the research on edge extensions, we noticed a way to bypass host access permissions which means an extension which has permission to work on bing.com can read your google, facebook, almost every site data. we noticed using this flow we can change in internal browser settings, Further, we ware able to read local system files using the extensions. Also in certain conditions, it allows you to execute javaScript on reading mode which is meant to protect users from any javaScript code execution issues. This major flaw in Microsoft Edge extension has been submitted responsibly to the Microsoft Security Team; as a result, CVE-2019-0678 assigned with the highest possible bounty. Outline 1. Introduction to the browser extension This section is going to cover what is browser extensions, and examples of browser extensions that are used on a daily basis. 2. Permission model in browser extensions This section details about the importance of manifest.json file, further details about several permissions supported by edge extensions and at last it describes different host access permissions and the concept of privileged pages in browsers. 3. Implementation of sample extension In this section, we will understand the working of edge extensions and associated files. 4. Playing with Tabs API This section includes the demonstration of loading external websites, local files and privileged pages using the tabs API. 5. Forcing edge extensions to load local files and privileged pages Here we will see how I fooled edge extensions to allow me to load local files and privileged pages as well. 6. Overview of javascript protocol This section brief about the working and the use of JavaScript protocol. 7. Bypassing host access permission The continuing previous section, here we will discuss I was able to bypass host access permission of edge extensions using the javascript URI’s. 8. Stealing google mails Once we bypassed the host access permission, we will discuss how edge extension can read your Google emails without having permission. 9. Stealing local files The continuing previous section, here we will discuss how an edge extension can again escalate his privileges to read local system files. 10. Changing internal edge settings This section details how I was able to change into internal edge settings using edge extensions, this includes enabling/disabling flash, enabling/disabling developer features. 11. Force Update Compatibility list This section details how an extension can force update Microsoft compatibility list 12. javascript code execution on reading mode? Here we will dicuss about the working of reading mode and CSP issues associated with it. 13. Escalating CSP privileges. This section describes how edge extensions provides more privilages to the user when dealing with content security policy
Keywords
00:00
Information securityField extensionVulnerability (computing)Graph (mathematics)Web browserKummer-TheoriePasswordBlock (periodic table)Function (mathematics)HTTP cookieBookmark (World Wide Web)Data storage deviceInformation technology consultingRoundness (object)Information securitySoftwareWeb browserVulnerability (computing)Field extensionDigital rights managementKummer-TheorieYouTubeQuicksortAutomatic differentiationWebsitePoint (geometry)Graph (mathematics)Web 2.0Sensitivity analysisFunctional (mathematics)PasswordInformationHTTP cookieMobile appWeb pageCuboidData storage deviceBoss CorporationProcess (computing)GodComputer animationJSON
01:57
FeedbackBlock (periodic table)Web pageDomain-specific languageTotal S.A.Field extensionWeb browserBloch waveReading (process)WebsiteGoogolElectronic visual displayField extensionSlide ruleProcess (computing)Bookmark (World Wide Web)WebsiteMathematicsXML
02:25
Web browserField extensionWebsiteBookmark (World Wide Web)Reading (process)Electronic visual displayWeb browserMathematicsField extensionWebsiteContent (media)Data storage deviceBookmark (World Wide Web)Virtual machineComputer animation
03:09
Field extensionEndliche ModelltheorieWeb browserGoogolBookmark (World Wide Web)HTTP cookieData storage deviceDirected graphEndliche ModelltheorieSoftwareKummer-TheoriePosition operatorWeb browserComputer fileGoogolComa BerenicesDomain-specific languageNetwork topologyField extensionBookmark (World Wide Web)Bit rateVirtual machineCASE <Informatik>HTTP cookieData storage deviceCombinational logicCoefficient of determinationCuboidWebsiteContent (media)Computer animation
05:28
WebsiteCodeWeb pageGraph (mathematics)Graphical user interfaceSet (mathematics)Web pagePressureInformationArithmetic meanGraphical user interfaceDomain-specific languagePlastikkarteSign (mathematics)Coma BerenicesPosition operatorVirtual machineWordField extensionWeb browserDigital rights managementDot productGoogolQuicksortShooting methodBoss CorporationSensitivity analysisPasswordMathematicsCodeBookmark (World Wide Web)Content (media)Graph (mathematics)WebsiteComputer animation
07:04
Default (computer science)Web browserDirected graphSample (statistics)Field extensionSensitivity analysisField extensionQuicksortProcess (computing)Web browserWeb pageFunctional (mathematics)MereologyUniform boundedness principleInterface (computing)FlagRow (database)EstimatorComputer configurationSoftware testingComa BerenicesLevel (video gaming)Standard deviationComputer fileGroup actionFlash memoryConfiguration spaceSoftware developerSemiconductor memoryGraph (mathematics)GoogolWindowCodeComputer animation
09:13
Revision controlWeb browserDefault (computer science)Field extensionScripting languageHypertextoutputFunction (mathematics)GoogolCodeGoogolProcess (computing)Field extensionSource codeDomain-specific languageHand fanComa BerenicesStructural loadNumberFerry CorstenGoodness of fitComputer fileLine (geometry)
10:10
Structural loadWebsiteFunction (mathematics)Web browserComputer fileTablet computerField extensionBridging (networking)Computer fileMoment (mathematics)QuicksortWeb browserWeb pageForm (programming)Proxy serverBitError messageMultiplication signLine (geometry)Functional (mathematics)SubsetCodeSquare numberCausalityDomain-specific languageDressing (medical)Kummer-TheorieComa BerenicesBookmark (World Wide Web)Graph (mathematics)Local ringComputer animation
12:15
Local ringWeb pageAddress spaceWeb browserStructural loadError messageRead-only memoryVideo game consoleComputer networkComputer fileInformationComputer data loggingFrame problemDebuggerElement (mathematics)Graphical user interfaceRight angleComputer fileWeb browserMereologyPhysical systemMultiplication signWeb 2.0Medical imagingBookmark (World Wide Web)Graph (mathematics)Field extensionTheory of relativityComputer animation
13:20
Computer fileWeb pageLocal ringStructural loadFunction (mathematics)Web browserStructural loadMoment (mathematics)Goodness of fitWeb page1 (number)Metropolitan area networkComputer fileJSON
13:52
Local ringComputer fileWeb pageStructural loadElement (mathematics)Software developerCommunications protocolBookmark (World Wide Web)CodeWeb browserGraph (mathematics)Open setStructural loadWeb pageComputer fileMoment (mathematics)CodeView (database)Point (geometry)Row (database)MereologyDomain-specific languageBit rateBoss CorporationProcess (computing)VolumenvisualisierungCommunications protocolHyperlinkSoftware bugXMLProgram flowchartComputer animation
15:05
WebsiteCommunications protocolDomain-specific languagePoint (geometry)Coma BerenicesMultiplication signWeb browserProcess (computing)Scripting languageMassBit
15:49
Proxy serverFunction (mathematics)Web browserDomain-specific languageGoogolDomain-specific languageProcess (computing)Multiplication signWeb browserComa BerenicesField extensionCoefficient of determinationComputer animation
16:18
Proxy serverField extensionGoogolCodeDomain-specific languageInformation privacyReliefGroup actionComa BerenicesComputer animation
16:47
HTTP cookieHTTP cookieMultiplication signDomain-specific languageProcess (computing)Machine visionCodeComputer animation
17:25
GoogolEmailDecision theoryEmailBus (computing)GoogolWeb browserCodePhase transitionProxy serverRandomizationFacebookSource code
17:53
GoogolEmailHash functionUniform resource locatorWeb browserLeakWeb pageEmailRight angleComa BerenicesGoogolJSON
18:21
Field extensionEmailGoogolInformationComputer fileFunction (mathematics)Web browserEmailOpen setProof theoryElectronic visual displayDomain-specific languageCASE <Informatik>Structural loadLocal ringComputer animationXML
18:53
Computer fileLocal ringCodeChainFunction (mathematics)Content (media)Web browserLeakComputer fileStructural loadWeb browserPoint (geometry)CodeLocal ringSoftware bugProof theoryMultiplication signScripting languageComputer animation
19:28
Web pageFunction (mathematics)Web browserFlagSoftware developerElement (mathematics)Sensitivity analysisMoment (mathematics)Error messageWeb pageImplementationMilitary baseProcess (computing)Proxy serverVideo game consoleLine (geometry)Web browserWhiteboardDisk read-and-write headCodeComputer fileSoftware developerLocal ringProgram flowchart
20:55
Web pageError messagePlastikkarteFlagCommunications protocolField extensionWebsiteWeb pageData streamSystem callFlagBounded variationMultiplication signVideo gameBridging (networking)QuicksortMoment (mathematics)Row (database)Flash memoryGraph (mathematics)Communications protocolCodeComputer animation
21:55
FlagFunction (mathematics)Web browserComputer configurationFlagElement (mathematics)Type theoryWeb browserQuicksortCodeFlash memoryGraph (mathematics)Process (computing)Point (geometry)Multiplication signJSON
22:35
Web pageGraph (mathematics)CodeAsynchronous Transfer ModeBookmark (World Wide Web)Frame problemBlock (periodic table)Meta elementInformationError messageVideo game consoleDebuggerInformation securityField extensionScripting languageComputer data loggingField extensionAsynchronous Transfer ModeQuicksortBlogWeb pageDivision (mathematics)Software bugSoftware testingSystem callRow (database)CASE <Informatik>ForestTask (computing)Process (computing)Domain-specific languageArithmetic meanBookmark (World Wide Web)Reading (process)Graph (mathematics)Complete metric spaceError messageScripting languageWeb browserCodeCommunications protocolComputer animation
24:56
Web pageProxy serverScripting languageCodeDefault (computer science)Information securityFunction (mathematics)Web browserDomain-specific languagePower (physics)Web pageContent (media)Default (computer science)Square numberWeb browserDigital rights managementCodeError messageScripting languageDomain-specific languageComputer animation
25:46
Function (mathematics)Web browserCodeKummer-TheorieWeb pageWordCASE <Informatik>Thomas BayesLimit (category theory)Web browserNetwork topologyRight angleComputer animation
26:15
Default (computer science)Function (mathematics)Web browserDomain-specific languageCodeWeb pageCodeWeb browserNetwork topologyCASE <Informatik>Element (mathematics)MaizeOvalGraphical user interfaceParticle systemDomain-specific languageProduct (business)FamilyJSON
26:55
Reading (process)WebsiteAddress spaceRevision controlField extensionSlide ruleInstallation artGraph (mathematics)Kummer-TheorieDomain-specific languageCodeScripting languageWeb pageSoftware developerPresentation of a groupKummer-TheorieSoftware bugGraph (mathematics)QuicksortFunctional (mathematics)Boundary value problemRoundness (object)3 (number)Communications protocolVapor barrierCASE <Informatik>Mobile appPosition operatorSound effectRoutingFerry CorstenBitGroup actionXMLComputer animationLecture/Conference
29:53
Computer animation
Transcript: English(auto-generated)
00:21
He's a security consultant at Payatu Software Labs, and he loves finding security flaws in the Microsoft Edge browser. And incidentally, this is the topic for this next talk. So please give a big round of applause to Nikhil Mittal.
00:46
So welcome to the talk, Breaking Microsoft Edge Extension Security Policies. My name is Nikhil. I work at Payatu Labs, and I'm into web and browser vulnerability research. So to start with this presentation,
01:01
I would like to know how many of you uses browser extensions in general? Like, oh, nice. So many of us. Okay, so a browser extension is something that extends the functionality of web browsers. We have typical examples like Adblock Plus, which I think most of the people use this
01:22
to block the ads on some certain sites like YouTube. And Grammarly and some sort of password managers as well. So these extensions are capable of managing most of your data because they can handle the cookies, bookmarks, storage, passwords, history, and whatnot.
01:43
So that being said, we all have to agree on a point that these extensions are powerful because they can deal with your cookies, bookmarks, and other sensitive information in the browsers. So here's how simple Adblock Plus extension
02:02
looks like on Microsoft Edge, which is pretty much doing its job. Now, have you ever tried to figure out what this extension is capable of doing in your browser? Oh, nice. So if you look at the settings, here we have a couple of permissions,
02:22
which I've listed down on the next slide. So a simple Adblock Plus extension can read and change content on websites that you visit. It can read and change your favorites. It can see the websites you visit. It can read and change anything you send or receive. And it can also store personal browsing data
02:42
on your browser. And it can also display notifications as well. So there are so many things, a simple Adblock Plus extension can be able to do in your browser. So you might ask, how browsers recognize these permissions? An extension is able to do so many things in my browser,
03:04
but how does a browser recognize? Where are these permissions coming from? So here's a permission model in browser extensions. So under the source of every extension, we have a file called as manifest.json.
03:22
And inside a manifest.json file, we have a permission array. So here's a quick example of a permission array where we have some permissions. So the first one is https www.google.com, which we'll see right after this slide.
03:40
The next permission we have is Bookmark and cookies, history, storage, and tabs. So let's suppose a extension has a permissions with the bookmark and cookies. So that means that extension can handle your bookmarks, it can manipulate them, it can edit them, it can remove them, and whatnot.
04:00
So the same goes with the cookies history as well, and there are other important permissions as well available for the browsers. So apart from these permissions, the most interesting permission that I was looking for is the host access permissions.
04:21
So a host access permission is something that defines on which certain domains your browser extensions should be able to run. So in this case, let's suppose we have assigned permissions to http www.google.com. So that means this extension should be able to run on google.com only, not even the subdomain,
04:42
that is developer.google.com or mail.google.com. So this you can also verify by the tiny box that says this is allowed to read and change content on some sites, www.google.com. Now, the second permission we could have in this here
05:01
is http.google.com. So basically this also covers the subdomains as well. And the third possible permission we can have is asterisk colon slash slash asterisk.google.com. So basically this says now not only I'll work on google.com, but basically on all the protocols
05:22
as well, which is http, https, might be ftp. That belongs to the particular domain. So apart from these three permissions, we have the another permission in the row, which is all underscore URLs. This permission is so special because once a browser extension
05:40
is assigned to all URL, all underscore URL permissions, that can execute JavaScript code on every domain that you visit. So let's suppose you are on google.com or maybe you're on bing.com or anything else, it will work on most probably on every domain. But there are a few restrictions
06:02
with the all underscore URLs permissions, that is it cannot run on privileged pages. So a privileged page in browser is something that contains some sort of sensitive settings and your browser data. So you might hear of Chrome slasher settings,
06:21
which contains the password manager for Chrome, and also you can identify the credit card and debit card information on Chrome slasher settings as well. So you can imagine a situation once the extension is able to run a JavaScript code on Chrome settings page, then it can probably read
06:40
or it can steal all of your passwords and credit and debit card information as well. So on the Edge, we have a similar page, which is about.flags. So here you can see once extension with all underscore URL permission is assigned, it can read and change content on website you visit
07:02
as per the Edge. So here's a quick snap of about.flags in Edge. And so if you look at the first part, you will figure out there are a few important permissions, like you can enable Adobe Flash Player, you can also enable developer features,
07:21
and also you can enable and disable, allow undistricted memory consumption for the web pages as well. And it also has some standard previous features, like you can enable, disable some experimental JavaScript features as well. So now you can imagine the sensitivity of this page contains, okay.
07:41
So let's build, let's quickly build extensions, so that will break most of the things in Edge. So as I said, every extension has a manifest.json file, which has all the permission and other configurations. The second file that we will be needing is popup.html.
08:01
So popup.html is nothing but it's just a interface for the browser extension. So basically, you might have noticed as soon as you click on any of the browser extension, a popup appears on your window for that contain some sort of functions that is nothing but just a popup.html file. And then again, we have a popup.js,
08:22
which has all the JavaScript code that executes according to the actions chosen by the popup.html. So this is how our extension should have looked on the Edge. So you have seen a tiny Microsoft logo, and as soon as you click on it,
08:42
a popup will appear which says, I am the evil extension, and I have two options. The first one is open, the second one is execute. So as soon as you click on the open button, what it does is it will load google.com on the browser, and as soon as you click on the execute button, it will just alert one for you.
09:02
So basically, the interface is written in popup.html, and again, as soon as you click on execute, so the work is done by popup.js. So let's quickly look at the source code for the manifest.json file. The thing to notice here is that you can figure out the permissions,
09:22
permission array on line number 10, which is set to HTTP colon slash slash www.google.com. That means it's clear that this extension should be able to run on google.com only. I mean, not on the subdomains even. So here's the source code for the popup.html,
09:42
which is just a simple HTML file that has two buttons. The first one is open, the second one is execute, and it has a popup.js in the end. So here we have the popup.js, so in a very brief manner. What it does is, as soon as you click on the open button,
10:01
it loads google.com, and as soon as you click on the execute button, it alerts document or domain for you. So there are so many APIs available for the browser extensions that you can use, like history API and some sort of proxies API,
10:22
tabs API, but for me, this tabs API was so interesting because it allows you to play with different tabs, like it has some methods inside, like tabs.create. So what it does is it allows you to create a new tab
10:41
with any arbitrary domain, and it also has tabs.update, and what it does is it allows you to update the page with the next URI, and tabs.duplicate is also important because it allows you to make an exact replica of an already opened tab. The next method is tabs.executeScript,
11:03
so this is pretty simple, this has allowed you to execute JavaScript code, and tabs.hide and tabs.relate, which is pretty easy. And there are so many other methods as well. So out of them, the most interesting one for me was create an update and also the duplicate method.
11:24
So let's see if you want to load a new, so let's see if you want to load bing.com on a new tab using a browser extension. So you can just write these five lines of code that says, that calls browser.tabs.create,
11:41
and then it passes a URL, which is https www.google.com. So this is as per the documentation, and this is for the good boys, not for us. So as an evil mind, I was interested to know, what would happen if I tried to load local files instead of a normal domain?
12:04
So then, I replaced the Bing URL with a particular local file URI to try to figure out how a browser will treat it. Will it open it or not? So the next moment, Edge gives me this nice error, like, okay, I can't reach this page,
12:22
and you make sure you have got the right web address, that is ms-browser-extension, and then the path for the extension, and it appends the file URL path in the last. So basically, it assumes that this is a relative path, and I'm going to add it with the extension path, and I'm going to try, and I'm going to open it.
12:42
So since that particular part doesn't exist, it gives us an error. So this is not a thing with the extension as well, but this is in general. Like, any of the browsers, they don't allow you to load local files at any cost because this might lead an issue
13:02
to steal your local systems files. So you can see the image in the Edge and Chrome browsers. So here, I'm trying to load local files using the JavaScript. So every time it says, okay, we are not allowed to do that because we care about our users, and we will protect them.
13:23
So since we figured out this browser.tabs.create method was not working for us, the next method that I was looking for, the update. So I tried the same thing with the update method, and somehow it worked for me.
13:40
So next, once I figured out, okay, now I can load the local files. Now I want to load the privileged pages because they are also interesting for me, and it was also working fine for me at the moment. So here you can see, as soon as you click on the open button, browser loads a local file for me
14:01
and also a privileged page on Edge. So I've reported this bug to Microsoft, and they quickly responded back to me, saying we don't support download API, so even if you load the local files, you have no way to steal it, like you literally cannot do anything
14:20
by loading the local files, and we are not going to fix it. So I said, okay, let's do it another way. So the next moment the idea came to my mind is to use the JavaScript URI. The JavaScript URI is something that start with the JavaScript protocol. It has a particular syntax,
14:40
like first JavaScript, and then colon, and then the JavaScript code. Here we have a simple examples, like as soon as the a href JavaScript colon alert one, it gets rendered in the browser, and you click on the test, a JavaScript code will pop up on your browser. So the good thing about the JavaScript URI
15:01
is that they execute in the main domain's reference, unlike the data URIs. So you can look in the image, we have JavaScript URI, and the data URIs as well, that points to alert document or domain, and one JavaScript URI says, I'm on html.squarefree.com, while the data URI says the null domain.
15:23
So basically, the data URIs was supposed to execute on the main domain's reference a couple of years back, but then it creates a lot of mess with the browser, so browser vendors, they decided to execute in the null domain's reference too, just to make it too safe.
15:40
So at this point of time, I decided, okay, JavaScript URIs are like the best candidate for us, so why not to try it? So I've tried the same JavaScript URI with browser.types.create, and again, it doesn't work for me.
16:04
But again, we have a friend called update method, and I've tried the same thing with the JavaScript URI that points to browser.types.update, which again calls JavaScript colon alert document or domain and it worked for me this time. So you can figure out with this picture,
16:22
this extension should have able to run on google.com, and now we are on a bing.com, and if you click on the open button, we have a JavaScript code execution on bing.com. Like, this is how bad it was, because that's a total violation of the privacy because the user believes that this extension
16:42
shouldn't able to run on the other domain except the google.com. So this was again reported to the Microsoft, saying, okay, so in the last time I reported, like, I'm able to load the local files, but you said I'm not going to fix it, and now we have a JavaScript code execution as well.
17:02
So then again they said, okay, like, we got your concern, we understand what you're trying to say, but can you also alert users cookies as well? Like, is it possible to steal the user's cookies? Then I said, okay, why not? So instead of document or domain,
17:20
you can just use document or cookie to pop up user's cookies as well. So since we have host access permission bypass on edge, so we can steal google emails, even Facebook data or anything like that. So to demonstrate this attack,
17:41
let's suppose we have a simple google email which says, I'm a secret email and I have some coupon code for $1000 cash back, and there we have some random coupon code. So to demonstrate this attack, you can see I'm using browser.tabs.update that points to a certain JavaScript URI,
18:01
and what it does is it fetches the particular email with a particular ID and opens a new tab and sends it to the leak.html. And further, what leak.html does is it copies the value from location.hash and writes it onto the page.
18:22
So as soon as you click on the open button, if you're on mail.google.com, it will steal the particular email and display it back on the attacker's domain. So this is how I was able to steal the google emails. So this proof of concept was sent to the Microsoft, and the same thing with the local files as well.
18:43
I thought, okay, now it's working for the domain. Now what if we tried the same thing with the local files as well? So yeah, in this case, it worked as well. So if you remember in the last, in the past when we were able to load local files, but Microsoft says, okay, we are not going to fix it
19:02
because we don't support Download API, and now we have a JavaScript code execution on local files as well, so we can chain both of these bugs to steal the local files as well. So that's a simple proof of concept. So at the first, what we are doing is browser.tabs.update that points to a file URI,
19:23
and again, browser.tabs.update that points to a JavaScript URI. So Microsoft was like, okay, now we have to fix. But what is next? So, so far, we have JavaScript code execution on local files.
19:41
We also have host access permission bypass. Now what is next? So the next thing that came to my mind is always the privileged pages, as I already explained the sensitivity of the privileged pages. So the next moment, I was so excited that this will work on the privileged pages as well.
20:02
So again, I wrote this file line of code and tried to execute in reference to about.flex. And surprisingly, it wasn't working for me, and I was so surprised why this is not working and shaking my head, like, what is wrong?
20:20
So the next moment, I was trying to figure out what is wrong with this implementation, like, why it is not working. Maybe there are some errors in the console, so I tried to open the developer console to figure out the possible errors, but you can see there is no such errors at all. So the reason for that is most of the pages,
20:41
like the sensitive pages in the browsers like Chrome, Firefox, and even on the Edge, are protected with the CSP to make sure there shouldn't be any JavaScript code execution, but we cannot see any CSP errors here as well, which was pretty strange for me. So then again, I asked myself, like, why this black magic is not working on privileged pages?
21:02
Even when we don't have the CSP error, maybe this time, Edge is playing smart, or do we have any other way to load about.flex in Edge? Then the next idea that came to my mind is to use the RES protocol.
21:21
So RES protocol is something that is used to fetch some sort of resources from a module. So instead of about.flex, we can call res colon slash slash agestml dot dll slash flag dot stm. And the next moment, it worked.
21:47
So this way, we have now JavaScript code execution on privileged pages as well, which is pretty bad. So once you have JavaScript code execution on privileged pages, you can enable
22:01
and disable add a flash player. And there are other methods, other possible options which we have already discussed can also be possible with the same thing. So again, what we need to do is to call browser dot types dot update. That points to agestml dot dll slash flags dot stm.
22:22
And again, some sort of JavaScript URI to fetch, get element by ID, and then click on it so it will toggle the add a flash player setting on the Edge. Again, what is next? So this was pretty enough for me,
22:42
but again, I was trying to figure out if we can do something else as well. And then I start with the reading mode. So a reading mode is a feature implemented in Edge which renders a page in a way that is kind of pretty easy to read. So in this process, Edge makes sure
23:01
that there shouldn't be any JavaScript code execution on the page. The main purpose for reading mode is that to provide the users, to provide a simplified page to the users. So basically, there should not be any advertisement or something like that. So for that reason, browser vendors, they make sure there shouldn't be any JavaScript code
23:22
execution on reading mode. And there was one bug with the reading mode as well. Like, you cannot put any document in the reader mode until or unless browser identified it, identified its complete, completely. But you can append the read colon protocol in the first
23:42
and then the URL that points to some sort of domain and then Edge will load the particular resources in the reading mode as well. So fortunately, I've tried the same attack on the reading mode as well, but since the reading mode was protected with a certain CSP and then,
24:01
so you can see the CSP error which says we do not allow inline script and it will be blocked by the Edge. So reading mode was kind of safe, at least for the test cases. But in some certain test cases, it worked for me, but I was not able to reproduce it further,
24:21
so that's why I marked it as safe. The other possible features we can have is the JavaScript code execution on other extension pages. Like again, you can imagine a situation. We have, you can imagine a situation when one extension is able to disable another extension in browser, like how bad it will be.
24:43
So again, now we are on an internal page that belongs to Adblock Plus and if we try to run our extension on this page, then again, we have a CSP violation issues. So yeah, that was safe. The next thing was some CSP privilege issues
25:02
because the host permission will not work if there is any CSP error. So next, I tried to figure out if we can use the executed script API to figure out how they deal with the CSP. So let's assume we have a page where the CSP is implemented properly
25:21
and we have a host permission for the same. So you can see the code where we are saying the content security policy, which is set to default SRC self, and we are using browser.tabs.executedScript which says code,
25:41
and then where we have to pass the JavaScript code, which is a simple alert document or domain. So the way extensions deal with the CSP is that most of the browsers, they will allow JavaScript from any extensions until or less they will try to change
26:02
the DOM of particular, DOM tree of particular documents. So let's suppose we have the first example right here. In this case, so as I said, let's assume we are on a page which has a perfectly CSP in place like this, and we try to change the DOM for the particular page.
26:24
So the possible base we have is either we can use document.write or we can use document.body.innerHTML and then certain JavaScript code. And then another possible way we have is to generate a random element and then write inside it.
26:42
So all these ways to manipulate a particular DOM tree on a CSP protected page was not allowed by most of the browsers like Firefox and Chrome, but it was not protected in case of edge. Like the executed script API is straightforward
27:00
as execute any of the JavaScript code on any domain whether you try to change the DOM on a CSP protected page or not, like it doesn't matter for it. So to conclude with this presentation is that edge extensions are still in development.
27:22
Most of the APIs are not supported till the time, because in the edge it has moved to the new Chromium-based browser as well. So I'm not sure whether they are still developing extensions API or not, but the active tab is one of the interested permission to work on
27:41
because it allows you to execute JavaScript code on the current domain. So if you are able to perform the same sort of the same attack with active tab API as well, so pretty much you can have all what I presented here as well. So Microsoft, they finally decided to fix this bug
28:01
in March 19 update with the highest possible boundary they have with the CV 2019-0678. Yeah, that's it, that's just. So thank you Nikhil for an interesting talk.
28:21
If you have questions about the talk we have three microphones, one, two, and three in each one of the aisles. If you have a question please come up to the microphone. We'll start from microphone number three. Hi, hi, and thank you for the interesting talk. I have one question. Is this back or is this API also relevant
28:42
for the new Edge coming in January based on Chromium engine? No, I guess. So the APIs are same, but since the new Edge is running on Chrome, so it will not support this API
29:00
because they use some others calling conventions, I guess, I believe. Okay. Is that answer your question? Yeah, but I have a second one. Yeah, go for it. Okay, the second one is you tried to open the pages via the RAS protocol, but the functionality
29:23
of those pages, is it also handled by Edge while opening it through the RAS protocol, not about the about protocol? Yes, I guess. Okay, we are also working. Yeah. Okay, thank you. Any more questions from the crowd or from the internet?
29:44
Okay then, another round of applause for Nikhil for a great talk. Thank you.