SlideShare a Scribd company logo

Let's pwn a chinese web browser!

J
Juho Nurminen

This document discusses analyzing the security of Chinese web browsers by installing and examining browsers like UC Browser, QQ Browser, and Sogou Explorer on Kali Linux. It provides overviews of browser architecture, security concepts like compartmentalization and encryption, and potential attack vectors. The document recommends tools like Chrome DevTools, Rendering Engine Hackability Probes, and network analysis tools to explore vulnerabilities. The goal is to identify issues like cross-context scripting bugs or missing compartmentalization that could lead to remote code execution or other exploits. Any vulnerabilities found should be reported responsibly to the vendors.

Technology
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
LET'S PWN A CHINESELET'S PWN A CHINESE WEB BROWSER!WEB BROWSER! DISOBEY 2019 — JUHO NURMINENDISOBEY 2019 — JUHO NURMINEN
DISCLAIMERSDISCLAIMERS I'm not my employer. My opinions aren't necessarily theirs. They haven't contributed to this workshop, do not endorse it, and should not be held responsible for any outcomes. The browsers we're about to look at are literally "made in China". Install and run them at your own responsibility. They may invade your privacy, they may install other unwanted so ware, and they may be difficult to uninstall properly. Using a disposable VM is highly recommended. In fact, anything you do in this workshop is at your own responsibility. Even if I tell you to do so. I don't have permission from any vendors and I Am Not A Lawyer. Any vulnerabilities you find are yours to keep. I suggest reporting them to the vendor and/or a CERT of your choice. I can help in finding the right contacts, but it's your call.
YOUR INSTRUCTORYOUR INSTRUCTOR Web & mobile hacker — Specialist @ 2NS Browser hacker — several CVEs in Chrome, Firefox, Safari Antivirus hacker — Disobey 2018
CHINESE WEBCHINESE WEB BROWSERS?BROWSERS?
THE TARGETSTHE TARGETS Platform Market share     (StatCounter Oct 2018) Windows macOS Linux Android iOS In China Globally UC Browser http://www.ucweb.com/ Yes No No Yes Yes 15.79 % 7.39 % QQ Browser https://browser.qq.com/ Yes Yes No Yes No 11 %; 0.27 %; Sogou Explorer https://ie.sogou.com/ Yes No No Yes Yes 2.05 % 0.06 % http://www.maxthon.com/ Yes Yes Yes Yes Yes 0.56 % 0.05 % https://browser.360.cn/ Yes No No Yes Yes 0.17 % 0.03 % Baidu Browser https://liulanqi.baidu.com/ Yes No No Yes Yes < 0.06 % < 0.1 %
INSTALLING MAXTHON ON KALIINSTALLING MAXTHON ON KALI Additional packages: libcurl3 (conflicts with libcurl4), libgcrypt11, libssl1.0.0 Running as root: maxthon --user-data-dir=userdata --no-sandbox
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
BROWSER ARCHITECTUREBROWSER ARCHITECTURE
IE LOGICAL COMPONENTSIE LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
CHROME LOGICAL COMPONENTSCHROME LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
CHROME + IE = ???CHROME + IE = ??? (yours truly & mspaint)
SECURITY CONCEPTSSECURITY CONCEPTS
COMPARTMENTALIZATIONCOMPARTMENTALIZATION Web content: Same-Origin Policy & Site Isolation Extensions: Isolated Worlds & Privilege Separation OS/Browser: Privilege Separation, Sandboxing & Hardening
ENCRYPTIONENCRYPTION Regular web traffic External resources in internal UI Sharing, sync, safe browsing & other APIs Automatic updates
PORT BANNINGPORT BANNING Protects against Inter-Protocol Exploitation IE: 19, 21, 25, 110, 119, 143, 220, 993 Chrome: 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 37, 42, 43, 53, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 115, 117, 119, 123, 135, 139, 143, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 3659, 4045, 6000, 6665, 6666, 6667, 6668, 6669, 6697
SAFE BROWSING, SMARTSCREENSAFE BROWSING, SMARTSCREEN & BLACKLISTING& BLACKLISTING Blacklisting and reputation based mechanisms protect agains malware & phishing Malicious & compromised websites Executable and other potentially harmful file types
VULNERABILITIES ANDVULNERABILITIES AND EXPLOITSEXPLOITS
ATTACK VECTORSATTACK VECTORS Web content Automatic updates Extensions and built-in extra features File downloads Plugins: PDF, Flash, Java, ActiveX?
SOP BYPASSESSOP BYPASSES Leaky APIs Universal XSS Code execution inside renderer sandbox Accessing privileged APIs via XCS
CROSS-CONTEXT SCRIPTINGCROSS-CONTEXT SCRIPTING XSS in a privileged context Access to privileged APIs Additional attack surfaces, pivoting deeper O en leads to RCE
CONTEXT ISOLATION ISSUESCONTEXT ISOLATION ISSUES Missing context isolation Logic running in wrong contexts Unsafe cross-context messaging Overwriting properties on shared objects Variable clobbering
TOOLSTOOLS
CHROME DEVTOOLS & F12CHROME DEVTOOLS & F12 DEVELOPER TOOLSDEVELOPER TOOLS Launch from a menu item or press F12 Great for exploring the JavaScript environment Debugger is handy, too
PORTSWIGGER'S RENDERINGPORTSWIGGER'S RENDERING ENGINE HACKABILITY PROBEENGINE HACKABILITY PROBE https://portswigger-labs.net/hackability/ "Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports." Helps you quickly spot non-standard APIs
BADSSL.COM & SSLLABS.COMBADSSL.COM & SSLLABS.COM Badssl.com: contains lots of subdomains that should trigger an SSL error SSL labs' client test: lists the ciphers and other features your SSL client supports
PROCESS EXPLORER, NETSTAT,PROCESS EXPLORER, NETSTAT, LSOF...LSOF... The usual stuff for that can help you understand a native app Figure out what processes an app is launching, what files it's accessing and who it's talking to Is your browser running a TCP server? It probably shouldn't
MITM PROXY APPS & PACKETMITM PROXY APPS & PACKET SNIFFERSSNIFFERS Burp Suite, OWASP ZAP, Fiddler, mitmproxy Wireshark, tcpdump Pick your poison
LET'S GET HACKING!LET'S GET HACKING!
Architecture: Chrome with extras glued on top? Custom browser with Blink? Chrome version? Custom features: What are there? How are they implemented? Error messages: origin, exposed APIs, XCS Browser-internal URI schemes Restricted URI schemes Framing settings pages, error messages? Extensions: Are they supported? WebExtensions or something else? Custom APIs? APIs exposed to web (Hackability & external object) Privileged web pages: Extension gallery? Sync and sharing features?

More Related Content

PDF
Introduction to Backups and Security
Suzette Franck
 
PPTX
Security-Web Vulnerabilities-Browser Attacks
Raghu Addanki
 
PDF
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
PPTX
2010 A Net Odyssey
Saumil Shah
 
PDF
Secrets to a Hack-Proof Joomla Revealed
SiteGround.com
 
PPTX
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
PDF
Android mobile app security offensive security workshop
Abhinav Sejpal
 
PPTX
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Introduction to Backups and Security
Suzette Franck
 
Security-Web Vulnerabilities-Browser Attacks
Raghu Addanki
 
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
2010 A Net Odyssey
Saumil Shah
 
Secrets to a Hack-Proof Joomla Revealed
SiteGround.com
 
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Android mobile app security offensive security workshop
Abhinav Sejpal
 
Bug Bounty #Defconlucknow2016
Shubham Gupta
 

What's hot (19)

PDF
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
PDF
Xamarin security talk slideshare
Marcus de Wilde
 
PDF
Security Testing
BJ Edward Taduran
 
PDF
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
PPTX
Bug Bounty 101
Shahee Mirza
 
PDF
PALETTE BUSINESS SOLUTION DOCUMENTATION
Onwubiko Emmanuel
 
PPTX
Bug bounty
n|u - The Open Security Community
 
PDF
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
PPTX
Protecting data on device with SQLCipher, Stephen Lombardo
Xamarin
 
PDF
avast 7.0.1474 license key
HayWhitfield72
 
PDF
Attention Required! | CloudFlare
enthusiasticmys84
 
PDF
GoSec 2015 - Protecting the web from within
IMMUNIO
 
PDF
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
PDF
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
IMMUNIO
 
PDF
Beginning WordPress Security WordCamp North Canton 2015
Michele Butcher-Jones
 
PDF
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager
 
PPTX
Defense In Depth With AOP
nerdybeardo
 
PPTX
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
PDF
State of Web Security RailsConf 2016
IMMUNIO
 
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
Xamarin security talk slideshare
Marcus de Wilde
 
Security Testing
BJ Edward Taduran
 
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
Bug Bounty 101
Shahee Mirza
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
Onwubiko Emmanuel
 
Bug bounty
n|u - The Open Security Community
 
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
 
Protecting data on device with SQLCipher, Stephen Lombardo
Xamarin
 
avast 7.0.1474 license key
HayWhitfield72
 
Attention Required! | CloudFlare
enthusiasticmys84
 
GoSec 2015 - Protecting the web from within
IMMUNIO
 
Reversing & malware analysis training part 7 unpacking upx
Abdulrahman Bassam
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
IMMUNIO
 
Beginning WordPress Security WordCamp North Canton 2015
Michele Butcher-Jones
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager
 
Defense In Depth With AOP
nerdybeardo
 
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
State of Web Security RailsConf 2016
IMMUNIO
 
Ad

Similar to Let's pwn a chinese web browser! (20)

PDF
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
PPTX
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Avi Sharma
 
PDF
Securing web applications
Supreme O
 
PDF
jfx
aprydwi
 
PPT
nullcon 2011 - Exploiting SCADA Systems
n|u - The Open Security Community
 
PDF
Purple Teaming With Adversary Emulation.pdf
prithaaash
 
PDF
sts-scanner_tutorial
tutorialsruby
 
PDF
sts-scanner_tutorial
tutorialsruby
 
PDF
Javaland 2017: "You´ll do microservices now". Now what?
André Goliath
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PDF
Securing a Cloud Migration
VMware Tanzu
 
PDF
Securing a Cloud Migration
Carlos Andrés García
 
PPT
App locker
Concentrated Technology
 
PDF
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
André Goliath
 
PDF
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
PDF
Securing Rails
Alex Payne
 
PPT
nullcon 2011 - Penetration Testing a Biometric System
n|u - The Open Security Community
 
PDF
Download full ebook of Sans 5603 Exploitation Sans Institute instant download...
nkzrzsgzp632
 
PDF
Odi 12c-getstart-vm-install-guide-2401840
Udaykumar Sarana
 
PDF
Openedge Development Progress 4gl Handbook John Sadd
mirelgaitokw
 
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Avi Sharma
 
Securing web applications
Supreme O
 
jfx
aprydwi
 
nullcon 2011 - Exploiting SCADA Systems
n|u - The Open Security Community
 
Purple Teaming With Adversary Emulation.pdf
prithaaash
 
sts-scanner_tutorial
tutorialsruby
 
sts-scanner_tutorial
tutorialsruby
 
Javaland 2017: "You´ll do microservices now". Now what?
André Goliath
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
Securing a Cloud Migration
VMware Tanzu
 
Securing a Cloud Migration
Carlos Andrés García
 
App locker
Concentrated Technology
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
André Goliath
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
Securing Rails
Alex Payne
 
nullcon 2011 - Penetration Testing a Biometric System
n|u - The Open Security Community
 
Download full ebook of Sans 5603 Exploitation Sans Institute instant download...
nkzrzsgzp632
 
Odi 12c-getstart-vm-install-guide-2401840
Udaykumar Sarana
 
Openedge Development Progress 4gl Handbook John Sadd
mirelgaitokw
 
Ad

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
KodekX | Application Modernization Development
KodekX
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 

Let's pwn a chinese web browser!

  • 1. LET'S PWN A CHINESELET'S PWN A CHINESE WEB BROWSER!WEB BROWSER! DISOBEY 2019 — JUHO NURMINENDISOBEY 2019 — JUHO NURMINEN
  • 2. DISCLAIMERSDISCLAIMERS I'm not my employer. My opinions aren't necessarily theirs. They haven't contributed to this workshop, do not endorse it, and should not be held responsible for any outcomes. The browsers we're about to look at are literally "made in China". Install and run them at your own responsibility. They may invade your privacy, they may install other unwanted so ware, and they may be difficult to uninstall properly. Using a disposable VM is highly recommended. In fact, anything you do in this workshop is at your own responsibility. Even if I tell you to do so. I don't have permission from any vendors and I Am Not A Lawyer. Any vulnerabilities you find are yours to keep. I suggest reporting them to the vendor and/or a CERT of your choice. I can help in finding the right contacts, but it's your call.
  • 3. YOUR INSTRUCTORYOUR INSTRUCTOR Web & mobile hacker — Specialist @ 2NS Browser hacker — several CVEs in Chrome, Firefox, Safari Antivirus hacker — Disobey 2018
  • 5. THE TARGETSTHE TARGETS Platform Market share     (StatCounter Oct 2018) Windows macOS Linux Android iOS In China Globally UC Browser http://www.ucweb.com/ Yes No No Yes Yes 15.79 % 7.39 % QQ Browser https://browser.qq.com/ Yes Yes No Yes No 11 %; 0.27 %; Sogou Explorer https://ie.sogou.com/ Yes No No Yes Yes 2.05 % 0.06 % http://www.maxthon.com/ Yes Yes Yes Yes Yes 0.56 % 0.05 % https://browser.360.cn/ Yes No No Yes Yes 0.17 % 0.03 % Baidu Browser https://liulanqi.baidu.com/ Yes No No Yes Yes < 0.06 % < 0.1 %
  • 6. INSTALLING MAXTHON ON KALIINSTALLING MAXTHON ON KALI Additional packages: libcurl3 (conflicts with libcurl4), libgcrypt11, libssl1.0.0 Running as root: maxthon --user-data-dir=userdata --no-sandbox
  • 10. IE LOGICAL COMPONENTSIE LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
  • 11. CHROME LOGICAL COMPONENTSCHROME LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
  • 12. CHROME + IE = ???CHROME + IE = ??? (yours truly & mspaint)
  • 14. COMPARTMENTALIZATIONCOMPARTMENTALIZATION Web content: Same-Origin Policy & Site Isolation Extensions: Isolated Worlds & Privilege Separation OS/Browser: Privilege Separation, Sandboxing & Hardening
  • 15. ENCRYPTIONENCRYPTION Regular web traffic External resources in internal UI Sharing, sync, safe browsing & other APIs Automatic updates
  • 16. PORT BANNINGPORT BANNING Protects against Inter-Protocol Exploitation IE: 19, 21, 25, 110, 119, 143, 220, 993 Chrome: 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 37, 42, 43, 53, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 115, 117, 119, 123, 135, 139, 143, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 3659, 4045, 6000, 6665, 6666, 6667, 6668, 6669, 6697
  • 17. SAFE BROWSING, SMARTSCREENSAFE BROWSING, SMARTSCREEN & BLACKLISTING& BLACKLISTING Blacklisting and reputation based mechanisms protect agains malware & phishing Malicious & compromised websites Executable and other potentially harmful file types
  • 19. ATTACK VECTORSATTACK VECTORS Web content Automatic updates Extensions and built-in extra features File downloads Plugins: PDF, Flash, Java, ActiveX?
  • 20. SOP BYPASSESSOP BYPASSES Leaky APIs Universal XSS Code execution inside renderer sandbox Accessing privileged APIs via XCS
  • 21. CROSS-CONTEXT SCRIPTINGCROSS-CONTEXT SCRIPTING XSS in a privileged context Access to privileged APIs Additional attack surfaces, pivoting deeper O en leads to RCE
  • 22. CONTEXT ISOLATION ISSUESCONTEXT ISOLATION ISSUES Missing context isolation Logic running in wrong contexts Unsafe cross-context messaging Overwriting properties on shared objects Variable clobbering
  • 24. CHROME DEVTOOLS & F12CHROME DEVTOOLS & F12 DEVELOPER TOOLSDEVELOPER TOOLS Launch from a menu item or press F12 Great for exploring the JavaScript environment Debugger is handy, too
  • 25. PORTSWIGGER'S RENDERINGPORTSWIGGER'S RENDERING ENGINE HACKABILITY PROBEENGINE HACKABILITY PROBE https://portswigger-labs.net/hackability/ "Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports." Helps you quickly spot non-standard APIs
  • 26. BADSSL.COM & SSLLABS.COMBADSSL.COM & SSLLABS.COM Badssl.com: contains lots of subdomains that should trigger an SSL error SSL labs' client test: lists the ciphers and other features your SSL client supports
  • 27. PROCESS EXPLORER, NETSTAT,PROCESS EXPLORER, NETSTAT, LSOF...LSOF... The usual stuff for that can help you understand a native app Figure out what processes an app is launching, what files it's accessing and who it's talking to Is your browser running a TCP server? It probably shouldn't
  • 28. MITM PROXY APPS & PACKETMITM PROXY APPS & PACKET SNIFFERSSNIFFERS Burp Suite, OWASP ZAP, Fiddler, mitmproxy Wireshark, tcpdump Pick your poison
  • 29. LET'S GET HACKING!LET'S GET HACKING!
  • 30. Architecture: Chrome with extras glued on top? Custom browser with Blink? Chrome version? Custom features: What are there? How are they implemented? Error messages: origin, exposed APIs, XCS Browser-internal URI schemes Restricted URI schemes Framing settings pages, error messages? Extensions: Are they supported? WebExtensions or something else? Custom APIs? APIs exposed to web (Hackability & external object) Privileged web pages: Extension gallery? Sync and sharing features?