SlideShare a Scribd company logo

[Wroclaw #6] Introduction to desktop browser add-ons

OWASP, profile picture
OWASP

This document discusses browser add-ons such as themes and extensions, the moderation process for extensions, and common vulnerabilities in extensions. The moderation process involves checking metadata, acceptance criteria like functionality and permissions, and static code review. Vulnerabilities discussed include using external scripts, eval() to parse JSON, untrusted data in event handlers, innerHTML, and bugs in third party libraries. The document provides good practices for developers to avoid these vulnerabilities.

Internet
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Introduction to desktop browser add-ons. Explanation the process of moderation. Most frequent attack vectors and good practices for developers. Wojtek Zieliński
Browser add-ons Themes Extensions
Browser themes persona.ini
Browser themes
Browser extensions Html CSS JavaScript
Browser extensions Background script (UI, app state, sync) Content script (context, DOM, r/w, limitations) Popups Options Speed Dials Sidebars ./manifest.json (metadata)
Moderation process 1. Check metadata: summary, description, category, service, support, source code, icons, screenshots, etc. 2. Acceptance criteria: – Must perform as described – Screenshots, description, category – Private information – Remote code execution – Obfuscation 3. Code review
Moderation process / Static code review New and upgrades Redundant files, permission, comments • Code performance • Thieving data • Proposing fix • Bad programming techniques, attacks, malware code • Cooperation Additional testing Automation
Vulnerability in extensions – External scripts (http, m-i-m) – Parsing JSON using eval() – Passing strings to setTimeout() and setInterval() – Inserting untrusted data into Event Handler – Using InnerHTML – Bugs in third party libraries jQuery – A bunch of other XSS attacks
Vulnerability in extensions / External script injection
Vulnerability in extensions / Parse JSON using eval() 1. eval(json string) 2. JSON.parse(json string) 3. eval(JS string) 4. JSON.parse(JS string)
Vulnerability in extensions / Event Handlers
Vulnerability in extensions / innerHTML
Vulnerability in extensions / data-target
Tahnk You!

More Related Content

PDF
[OWASP Poland Day] Web App Security Architectures
OWASP
 
PPTX
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
PPTX
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
PDF
Browser Exploit Framework
n|u - The Open Security Community
 
PPTX
Rapid Android Application Security Testing
Nutan Kumar Panda
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PDF
Finacle - Secure Coding Practices
Infosys Finacle
 
PPTX
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
[OWASP Poland Day] Web App Security Architectures
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Browser Exploit Framework
n|u - The Open Security Community
 
Rapid Android Application Security Testing
Nutan Kumar Panda
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Finacle - Secure Coding Practices
Infosys Finacle
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 

What's hot (20)

PDF
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
PPT
Implementing application security using the .net framework
Lalit Kale
 
PPTX
Uniface Web Application Security
Uniface
 
ODP
Introduction to OWASP & Web Application Security
OWASPKerala
 
PPTX
Advanced Client Side Exploitation Using BeEF
1N3
 
PPT
Secure code practices
Hina Rawal
 
PPTX
Cyber ppt
karthik menon
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
PPTX
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
PPTX
[Wroclaw #2] Web Application Security Headers
OWASP
 
PPTX
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
PDF
A Scalable Client Authentication & Authorization Service for Container-Based ...
Binu Ramakrishnan
 
PDF
[OWASP Poland Day] A study of Electron security
OWASP
 
PPT
Why You Need A Web Application Firewall
Port80 Software
 
PPTX
Spring Security
Boy Tech
 
PPSX
Scaling-up and Automating Web Application Security Tech Talk
Netsparker
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
PDF
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
PDF
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
PDF
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
Implementing application security using the .net framework
Lalit Kale
 
Uniface Web Application Security
Uniface
 
Introduction to OWASP & Web Application Security
OWASPKerala
 
Advanced Client Side Exploitation Using BeEF
1N3
 
Secure code practices
Hina Rawal
 
Cyber ppt
karthik menon
 
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
[Wroclaw #2] Web Application Security Headers
OWASP
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
A Scalable Client Authentication & Authorization Service for Container-Based ...
Binu Ramakrishnan
 
[OWASP Poland Day] A study of Electron security
OWASP
 
Why You Need A Web Application Firewall
Port80 Software
 
Spring Security
Boy Tech
 
Scaling-up and Automating Web Application Security Tech Talk
Netsparker
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Ad

Similar to [Wroclaw #6] Introduction to desktop browser add-ons (20)

PPT
Web 2.0 Hacking
blake101
 
PPT
MokE: a tool for Mobile-ok evaluation of Web Content
Yeliz Yesilada
 
PPT
SynapseIndia php web development
Synapseindiappsdevelopment
 
PPTX
Altitude SF 2017: Security at the edge
Fastly
 
ODP
Performance Tune Up for Web Developers
Lenin Ghazi
 
PPTX
Cos 432 web_security
Michael Freyberger
 
PPT
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
PDF
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
PDF
Threat_Modelling.pdf
MarlboroAbyad
 
PDF
Internet Explorer 8
David Chou
 
PDF
OORPT Dynamic Analysis
lienhard
 
PPT
Hacking web applications
Adeel Javaid
 
PDF
Securing DevOps through Privileged Access Management
BeyondTrust
 
PDF
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
PDF
XCS110_All_Slides.pdf
ssuser01066a
 
PDF
Thick Application Penetration Testing - A Crash Course
NetSPI
 
PPTX
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PDF
Fluturas presentation @ Big Data Conclave
fluturads
 
PDF
Web Security - Introduction v.1.3
Oles Seheda
 
Web 2.0 Hacking
blake101
 
MokE: a tool for Mobile-ok evaluation of Web Content
Yeliz Yesilada
 
SynapseIndia php web development
Synapseindiappsdevelopment
 
Altitude SF 2017: Security at the edge
Fastly
 
Performance Tune Up for Web Developers
Lenin Ghazi
 
Cos 432 web_security
Michael Freyberger
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
Threat_Modelling.pdf
MarlboroAbyad
 
Internet Explorer 8
David Chou
 
OORPT Dynamic Analysis
lienhard
 
Hacking web applications
Adeel Javaid
 
Securing DevOps through Privileged Access Management
BeyondTrust
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
XCS110_All_Slides.pdf
ssuser01066a
 
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Fluturas presentation @ Big Data Conclave
fluturads
 
Web Security - Introduction v.1.3
Oles Seheda
 
Ad

More from OWASP (20)

PDF
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
PDF
[OPD 2019] Threat modeling at scale
OWASP
 
PDF
[OPD 2019] Life after pentest
OWASP
 
PDF
[OPD 2019] .NET Core Security
OWASP
 
PDF
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
PDF
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
OWASP
 
PPTX
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
PPTX
[OPD 2019] Inter-application vulnerabilities
OWASP
 
PDF
[OPD 2019] Automated Defense with Serverless computing
OWASP
 
PDF
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
 
PDF
[OPD 2019] Attacking JWT tokens
OWASP
 
PDF
[OPD 2019] Rumpkernels meet fuzzing
OWASP
 
PDF
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
PDF
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
OWASP
 
PDF
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
PDF
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
PDF
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP
 
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
[OPD 2019] Threat modeling at scale
OWASP
 
[OPD 2019] Life after pentest
OWASP
 
[OPD 2019] .NET Core Security
OWASP
 
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
OWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
[OPD 2019] Inter-application vulnerabilities
OWASP
 
[OPD 2019] Automated Defense with Serverless computing
OWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
 
[OPD 2019] Attacking JWT tokens
OWASP
 
[OPD 2019] Rumpkernels meet fuzzing
OWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
OWASP
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP
 

Recently uploaded (20)

PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
Internet___Basics___Styled_ presentation
poonam62133
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 

[Wroclaw #6] Introduction to desktop browser add-ons