The security of Mozilla Firefox s Extensions. Kristjan Krips

Similar documents
MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions


Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CIS 4360 Secure Computer Systems XSS

CSCE 813 Internet Security Case Study II: XSS

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web basics: HTTP cookies

Secure Frame Communication in Browsers Review

DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com

Web Application Security. Philippe Bogaerts

Information Security CS 526 Topic 11

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Looking at the Internet with Google Chrome & Firefox. Scoville Memorial Library Claudia Cayne - September, 2010

Web Security II. Slides from M. Hicks, University of Maryland

Copyright

Robust Defenses for Cross-Site Request Forgery Review

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Client Side Injection on Web Applications

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Lesson 4: Web Browsing

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

P2_L12 Web Security Page 1

Portal Recipient Guide. The Signature Approval Process

Evaluating the Security Risks of Static vs. Dynamic Websites

Expert Reference Series of White Papers. Top 10 Things Every IT Pro Should Know about IE8 on Windows 7

Information Security CS 526 Topic 8

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Application vulnerabilities and defences

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

INTERNET SAFETY IS IMPORTANT

Hacking Intranet Websites from the Outside

NET 311 INFORMATION SECURITY

Web Application Security

Chrome Extension Security Architecture

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

John Coggeshall Copyright 2006, Zend Technologies Inc.

Unique Phishing Attacks (2008 vs in thousands)

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Browser Guide for PeopleSoft

WEB SECURITY: XSS & CSRF

Client-Side XSS Filtering in Firefox

The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

Welcome to the OWASP TOP 10

OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking

How to Stay Safe on Public Wi-Fi Networks

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Webomania Solutions Pvt. Ltd. 2017

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Browser Support Internet Explorer

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Web Security Computer Security Peter Reiher December 9, 2014

CSCD 303 Essential Computer Security Fall 2018

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology

Security Course. WebGoat Lab sessions

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

A Cloud-based Framework for Security Analysis of Browser Extensions

Common Websites Security Issues. Ziv Perry

Configuring User Defined Patterns

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

More attacks on clients: Click-jacking/UI redressing, CSRF

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

CSCD 303 Essential Computer Security Fall 2017

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Founded the web application security lab

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

CS 161 Computer Security

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Getting Started with Firefox 2.0 For Windows 2000/XP Author: Ryan McCalla Revised by Mitchell Ochi

Web 2.0 Attacks Explained

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Getting Started with Internet Explorer 10

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Progress Exchange June, Phoenix, AZ, USA 1

Non conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Web Security: Vulnerabilities & Attacks

Installation & Configuration Guide Enterprise/Unlimited Edition

Browser code isolation

Web Attacks CMSC 414. September 25 & 27, 2017

So Many Ways to Slap a YoHo: Hacking Facebook & YoVille

Password Managers: Attacks and Defenses

Transcription:

The security of Mozilla Firefox s Extensions Kristjan Krips

Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting The attacks could result in: - loss of sensitive information - weakened security

How are the extensions distributed? How could bad extensions be distributed? - by hijacking a public Wi-Fi - by installing a bad extension on a public computer - by using a trusted extension Ways to improve the current security model Conclusion

Introduction Why? - Firefox is popular - it is possible to modify its functionality - the growth of attacks against Firefox - it is easy to write bad extensions - to see how vulnerable the current security model is An extension is a small add-on that enhances the browser with additional functionality

The extension model Extensions work by overlaying the code of Firefox The extension code will be merged into Firefox An extension is usually made from files of content, skin and locale. Extension s functionality is modified by XUL (XML user interface language) and JavaScript files XUL-based applications load the code for their interface from chrome:// URLs.

The basic files of an extension and their fuctionalities

Extensions can access the Gecko engine JavaScript XPConnect XPCOM XPCOM (Cross Platform Component Object Model) - components or reusable cross-platform libraries define: - navigation - window management - managing cookies - bookmarks - security - searching - rendering - etc.

Possible attack vectors Website defacement - it is possible to change the way a web page is being displayed while it is being loaded - even on https pages - this is done by modifying DOM (Document Object Model)

Phishing attacks - phishing is a type of fraud, which tricks users to give away sensitive information - this could be done via directing the user to a fake web site - to achieve this the fake web site has to be identical to the real one - Firefox classifies web pages into three categories: - pages with no identity information - pages with basic identity information - pages with complete identity information - To visualize the categorization it provides a colored button on the left side of the address bar since version 3.0

- The color of the identity button changes depending of the available identity information - It is easy to change the color of the identity button - Another security feature is the padlock icon, which is shown on secure sites. Firefox places the icon on the right side of the status bar. - It is possible to add an identical padlock icon to the status bar

Cross site scripting - Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. - Input rendered in the chrome is a potential XSS injection point - XSS in chrome is privileged code, so there are no same origin policy restrictions -It means that some extensions may have security holes, allowing a web page to inject scripts, which could alter the behavior of another web site

Possible attack objectives Stealing sensitive information - Website defacement can result in loss of usernames and password - For example the function behind a login button could have been changed to send the data to the attacker - A bad extension could collect the usernames and passwords, which are saved in Firefox and send these to the attacker

Weakening the security - There are no security boundaries between extensions - It is possible to write an extension, which alters the behavior of another extension - For example the Sage 1.4.3 extension allowed HTML and JavaScript in the <description> tags of RSS feeds to be executed in the chrome security zone. - a malicious feed was able to change the settings of an extension called NoScript

How are the extensions distributed? Available on https://addons.mozilla.org/en-us/firefox/ Sandbox review system It is easy to install extensions from the sandbox To make an extension public it needs to be reviewed by two editors - Anyone can apply to become an editor - This requirement style won t guarantee that the new editor has the proper knowledge to deal with security issues.

How could bad extensions be distributed? Hijacking a public Wi-Fi - Usually the connection is not encrypted - It is possible to take control of the network - Possible to fake an update - Every time the browser starts it checks for updates - Some extensions have disabled promting the user about the available update - thus no human factor

Installing a bad extension to a public computer - Installing an extension is easy - It doesn t require administrative rights - Infected public computers could gather much sensitive information Using a trusted extension - Trusted extensions that are hosted at Mozilla s official site don t need reviews for updates. - Risk of future updates being unsafe - The developer can write a bad extension and publish it at the official web site

Ways to improve the current security model At the moment the code added by the extensions is fully trusted The extensions shouldn t have the right to modify the content of an https page. - disable all extensions on secure pages - would need a restart - allow trusted or certified extensions - same problem with the restart - making it impossible to modify DOM - advertisements can t be blocked - may lower the popularity of the browser

There is a solution for these problems - Firefox in safe mode - safe mode disables extensions Problems with safe mode - users like to use extensions - switching to safe mode requires a restart - users aren t aware of the vulnerabilities in extensions

Conclusion Current extension model has its flaws - Extensions can be powerful but all of their code is trusted - Website defacement is allowed - It is very easy to spread the extensions - There are no boundaries between extensions The new extension model should - limit extension s rights on secure sites - limit the rights of extensions that are not certified or trusted - create boundaries between extension

Thanks for the attention Questions or comments?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback