Hack the browser extension ๐Ÿš€ (์›น ๋ธŒ๋ผ์šฐ์ € ํ™•์žฅ ๊ธฐ๋Šฅ ์ทจ์•ฝ์  ์ ๊ฒ€ํ•˜๊ธฐ)

์ƒˆํ•ด ์ฒซ๊ธ€์ž…๋‹ˆ๋‹ค. ์‚ฌ์‹ค 12์›” ๋งˆ์ง€๋ง‰ ๊ธ€๋กœ ์ž‘์„ฑํ•˜๋ ค๊ณ  ํ–ˆ๋Š”๋ฐ, ๋งˆ๋ฌด๋ฆฌ๋ฅผ ๋ชปํ•ด์„œ ์ƒˆํ•ด ์ฒซ๊ธ€์ด ๋˜์–ด๋ฒ„๋ ธ๋„ค์š”. ์ตœ๊ทผ์— ๋ธŒ๋ผ์šฐ์ € ํ™•์žฅ ๊ด€๋ จํ•ด์„œ ๊ธฐ์กด์— ์•Œ๋˜ ๊ฒƒ ๋ณด๋‹ค ์กฐ๊ธˆ ๋” ๋ฆฌ์„œ์น˜ํ•  ์ผ์ด ์žˆ์—ˆ๋Š”๋ฐ, ๊ฒธ์‚ฌ๊ฒธ์‚ฌ ์ •๋ฆฌํ• ๊ฒธ ๋ถ„์„ ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด ๊ธ€๋กœ ์ •๋ฆฌํ•ด๋ด…๋‹ˆ๋‹ค.

Background knowledge

Background page

background page๋Š” ๋ธŒ๋ผ์šฐ์ € ํ™•์žฅ ๊ธฐ๋Šฅ์—์„œ ์‚ฌ์šฉํ•˜๋Š” DOM ๋‚ด๋ถ€์˜ ์Šคํฌ๋ฆฝํŠธ ์˜์—ญ์ž…๋‹ˆ๋‹ค. ์šฐ์„  ๋ธŒ๋ผ์šฐ์ € ํ™•์žฅ ๊ธฐ๋Šฅ์€ ์›น ํŽ˜์ด์ง€์™€ ๋ณ„๊ฐœ์˜ ๊ฒฉ๋ฆฌ๋œ DOM์—์„œ ๋™์ž‘ํ•˜๊ณ , ์ฃผ์š” ๋กœ์ง์€ DOM ๋‚ด๋ถ€์˜ background page์—์„œ ๊ฐœ๋ฐœ์ž๊ฐ€ ์ž‘์„ฑํ•œ javascript code๋ฅผ ๊ธฐ์ค€์œผ๋กœ ๋™์ž‘ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

ํ•ด๋‹น ์˜์—ญ์—์„œ๋Š” ํ—ˆ๊ฐ€๋œ ๊ถŒํ•œ ์„ ์—์„œ Browser Extension API๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

https://www.slideshare.net/OleksandrZinevych/chrome-extensions-56125231

Policy

๋ธŒ๋ผ์šฐ์ € ํ™•์žฅ ๊ธฐ๋Šฅ์€ ์›น ํŽ˜์ด์ง€์™€ ์œ ์‚ฌํ•œ ๋ณด์•ˆ ์ •์ฑ…์„ ๊ฐ€์ง€๊ณ  ๊ฐ‘๋‹ˆ๋‹ค. (SOP, Frame ๋“ฑ๋“ฑ) ๋‹ค๋งŒ ํ™˜๊ฒฝ ์ž์ฒด์˜ ํŠน์„ฑ ํƒ“์— ์ ์šฉ๋ฐ›์ง€ ๋ชปํ•˜๋Š” ๊ฒƒ๋“ค๋„ ์žˆ๊ธด ํ•ฉ๋‹ˆ๋‹ค. ์•„๋ฌดํŠผ CORS, Frame ํ—ˆ์šฉ ์—ฌ๋ถ€ ๋“ฑ์€ ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ์ •๋ณด๋ฅผ ์ €์žฅํ•˜๋Š” Manifest.json์—์„œ ๊ด€๋ฆฌํ•ฉ๋‹ˆ๋‹ค.

Format of extension

ZIP ํŒŒ์ผ์ž…๋‹ˆ๋‹ค.

Manifest.json

์œ„์—์„œ ์ด์•ผ๊ธฐ๋“œ๋ ธ๋“ฏ์ด Manifest.json์€ ๋ธŒ๋ผ์šฐ์ €์˜ ์ „๋ฐ˜์ ์ธ ์ •๋ณด๋ฅผ ์ €์žฅํ•˜๊ณ  ์žˆ๋Š” ํŒŒ์ผ์ž…๋‹ˆ๋‹ค. (๋งˆ์น˜ ์•ˆ๋“œ๋กœ์ด๋“œ์˜ manifest.xml๊ณผ ์œ ์‚ฌํ•˜์ฃ )

ํ™•์žฅ ๊ธฐ๋Šฅ์€ ZIP ํฌ๋งท์œผ๋กœ ์ด๋ฃจ์–ด์ ธ ์žˆ๋Š”๋ฐ, ์••์ถ•์„ ํ’€๊ฒŒ๋˜๋ฉด ์ตœ์ƒ๋‹จ ๋””๋ ‰ํ† ๋ฆฌ์— manifest.json ํŒŒ์ผ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ํ™•์žฅ ๊ธฐ๋Šฅ์„ ๊ฐœ๋ฐœํ•˜๋˜, ๋ถ„์„ํ•˜๋˜ ๋ชจ๋“  ํ–‰์œ„๋Š” ์ด ํŒŒ์ผ์—์„œ ์‹œ์ž‘๋ฉ๋‹ˆ๋‹ค.

Testing

์˜ค๋Š˜ ๊ธ€์˜ ๋ชฉ์ ์ด ํ…Œ์ŠคํŒ… ๋ฐฉ๋ฒ•์ด๊ธฐ ๋–„๋ฌธ์—, ์–ด๋–ค ์ˆœ์„œ๋กœ ๋ถ„์„ํ•˜๋ฉด ์ข‹์„์ง€ ํ•˜๋‚˜ํ•˜๋‚˜์”ฉ ํ’€์–ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

Download browser extension file and Extract

์šฐ์„  ๋ถ„์„์„ ์œ„ํ•ด์„  ํ™•์žฅ ๊ธฐ๋Šฅ ํŒŒ์ผ(ZIP)์ด ํ•„์š”ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋ถ„์„ํ•  ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ํŒŒ์ผ์„ ๋ฐ›๊ฑฐ๋‚˜ ์„ค์น˜ํ•ฉ๋‹ˆ๋‹ค. store์— ์žˆ๋Š” ํ™•์žฅ์˜ ๊ฒฝ์šฐ ๋ฐ”๋กœ ํŒŒ์ผ์„ ๋ฐ›์„ ์ˆ˜๊ฐ€ ์—†๊ธฐ ๋•Œ๋ฌธ์— ๋ธŒ๋ผ์šฐ์ €์— ์„ค์น˜ํ•œ ํ›„ ์ง์ ‘ ๋””๋ ‰ํ† ๋ฆฌ๋ฅผ ์ฐธ์กฐํ•˜์—ฌ ์ฐพ์Šต๋‹ˆ๋‹ค.

// Chrome ๊ธฐ์ค€
MacOS: ~/Library/Application\ Support/Google/Chrome/Default/Extensions
Linux: ~/.config/google-chrome/Default/Extensions/
Windows: C:\Users\<Your_User_Name>\AppData\Local\Google\Chrome\User Data\Default\Extensions

๊ฐ ๋ธŒ๋ผ์šฐ์ €๋ณ„ ์œ„์น˜๋Š” ๊ตฌ๊ธ€๋งํ•ด๋ณด๋ฉด ์ž˜ ๋‚˜์˜ต๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์„œ ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ์ด๋ฆ„์€ Extension ์ž์ฒด์˜ ID ๊ฐ’์ž…๋‹ˆ๋‹ค.

ll ~/Library/Application\ Support/Google/Chrome/Default/Extensions
total 0
drwx------@ 2 hahwul  staff    64B 12 24 00:37 Temp
drwx------@ 3 hahwul  staff    96B  9 29  2019 aapocclcgogkmnckokdopfmhonfmgoek
drwx------@ 3 hahwul  staff    96B  9 29  2019 aohghmighlieiainnegkcijnfilokake
drwx------@ 3 hahwul  staff    96B 11 14 18:39 apdfllckaahabafndbhieahigkjlhalf
drwx------@ 3 hahwul  staff    96B  7 12 00:48 baacjfeencnlcclennchejfnbcplfmbb
drwx------@ 3 hahwul  staff    96B  9 29  2019 blpcfgokakmgnkcojhhkbfbldkacnbeo
drwx------@ 3 hahwul  staff    96B 11 29 16:57 eimadpbcbfnmbkopoojfekhnkhdbieeh
drwx------@ 3 hahwul  staff    96B  9 29  2019 felcaaldnbdncclmgdcncolpebgiejap
drwx------@ 3 hahwul  staff    96B 11 29 16:57 fngmhnnpilhplaeedifhccceomclgfbg
drwx------@ 3 hahwul  staff    96B 11 24 02:03 ghbmnnjooekpmoecnnnilnnbdlolhkhi
drwx------@ 3 hahwul  staff    96B 11  2  2019 nmmhkkegccagdldgiimedpiccmgmieda
drwx------@ 4 hahwul  staff   128B 12 24 00:37 ophjlpahpchlmihnnnihgmmeilfjmjjc
drwx------@ 3 hahwul  staff    96B  7  9 00:53 phbjaiacjbplfmapmlljdoacomhbpfoe
drwx------@ 3 hahwul  staff    96B 11 14 18:39 pjkljhegncpnkpknbcohdijeoejaedia
drwx------@ 3 hahwul  staff    96B 11 24 02:03 pkedcjkdefgpdelpbcmbmeomcjbeemfm

ํ™•์žฅ ํ”„๋กœ๊ทธ๋žจ ํŽ˜์ด์ง€์—์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๊ทธ๋Ÿผ ๋ถ„์„ํ•  ๋””๋ ‰ํ† ๋ฆฌ๋กœ ๊ฐ€์ ธ์˜ต์‹œ๋‹ค.

cp -r ~/Library/Application\ Support/Google/Chrome/Default/Extensions/phbjaiacjbplfmapmlljdoacomhbpfoe .

Struct of browser extension

ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ํฌ๊ธฐ์— ๋”ฐ๋ผ ๋‹ค๋ฅด๊ฒ ์ง€๋งŒ, ๊ณตํ†ต์ ์ธ ๊ตฌ์กฐ๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์„ค์ • ํŒŒ์ผ์ธ manifest.json, view ๊ด€๋ จ ๋ถ€๋ถ„์ด ์žˆ๋‹ค๋ฉด popup.html ๊ณผ popup.js, ๊ทธ๋ฆฌ๊ณ  ์‹ค์ œ background ์ž‘์—…์„ ์ฒ˜๋ฆฌํ•˜๋Š” js ํŒŒ์ผ๋“ค์ž…๋‹ˆ๋‹ค.

ll
total 168
...
-rw-------@  1 hahwul  staff   1.7K  1  2 01:32 manifest.json
-rw-------@  1 hahwul  staff   262B  1  2 01:32 popup.html
-rw-------@  1 hahwul  staff   2.1K  1  2 01:32 popup.js
-rw-------@  1 hahwul  staff   954B  1  2 01:32 setting.html
-rw-------@  1 hahwul  staff   9.8K  1  2 01:32 setting.js
-rw-------@  1 hahwul  staff   9.7K  1  2 01:32 util.js

Analysis manifest.json

๊ฐ€์žฅ ๋จผ์ € ์‚ดํŽด๋ด์•ผํ• ๊ป€ manifest.json์ž…๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์—” ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ์ „๋ฐ˜์ ์ธ ์„ค์ • ์ •๋ณด์™€ ๋”๋ถˆ์–ด ์ •์ฑ…์ ์ธ ๋ถ€๋ถ„๋„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์–ด์„œ ๋จผ์ € ์ฒดํฌํ•˜๊ณ  ๊ฐ€์•ผํ•ฉ๋‹ˆ๋‹ค. background page์—์„œ ๊ตฌ๋™์— ์‚ฌ์šฉ๋˜๋Š” Js๋Š” background ์— ๋ช…์‹œ๋˜์–ด ์žˆ๊ณ , permissions์— ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ์ •์ฑ…์ด ๋ช…์‹œ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

{
   "author": "MM3Tools",
   "background": {
      "scripts": [ "util.js", "ProxySwitch.js" ]
   },
   "browser_action": {
      "browser_style": true,
      "default_icon": {
         "16": "img/MM3_16off.png",
         "32": "img/MM3_32off.png"
      },
      "default_popup": "popup.html"
   },
   "commands": {
      "ProxySwitch-1": {
         "description": "1",
         "suggested_key": {
            "default": "Ctrl+Shift+1"
         }
      },
      "ProxySwitch-2": {
         "description": "2",
         "suggested_key": {
            "default": "Ctrl+Shift+2"
         }
      },
      "ProxySwitch-3": {
         "description": "3",
         "suggested_key": {
            "default": "Ctrl+Shift+3"
         }
      },
      "ProxySwitch-4": {
         "description": "4",
         "suggested_key": {
            "default": "Ctrl+Shift+4"
         }
      }
   },
   "default_locale": "en",
   "description": "__MSG_appDescription__",
   "icons": {
      "48": "img/MM3_48.png",
      "96": "img/MM3_96.png"
   },
   "key": "...snip...",
   "manifest_version": 2,
   "name": "MM3-ProxySwitch",
   "options_ui": {
      "open_in_tab": true,
      "page": "setting.html"
   },
   "permissions": [ "storage", "proxy", "browsingData", "http://*/*", "https://*/*" ],
   "short_name": "ProxySwitch",
   "update_url": "https://clients2.google.com/service/update2/crx",
   "version": "2018.332"
}

์œ„ ํ™•์žฅ ๋„๊ตฌ๋ฅผ ์˜ˆ์‹œ๋กœ ๋ณด๋ฉด LocalStorage, Proxy ์ œ์–ด, Web Browsing ๋ฐ์ดํ„ฐ ์ ‘๊ทผ์— ๋Œ€ํ•œ Browser Extension API ๊ถŒํ•œ์ด ์žˆ๊ณ , Host permission์€ ๋ชจ๋“  ๋„๋ฉ”์ธ์— ๋Œ€ํ•ด ๊ฐ€์ง€๊ณ  ์žˆ์–ด ์–ด๋–ค ํŽ˜์ด์ง€์—์„œ๋“  ์ด ํ™•์žฅ ๊ธฐ๋Šฅ์˜ background page์˜ ์ฝ”๋“œ๊ฐ€ ๋™์ž‘ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

ํผ๋ฏธ์…˜์— ๋Œ€ํ•œ ๋ถ€๋ถ„์€ ์•„๋ž˜ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions

Testing with devtools

๋ธŒ๋ผ์šฐ์ € ํ™•์žฅ ๊ธฐ๋Šฅ์€ ๋ณ„๋„์˜ DOM ์˜์—ญ์—์„œ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค. ๋ณดํ†ต ์ผ๋ฐ˜์ ์ธ ์›น์ด๋ผ๋ฉด DevTools์—์„œ ์ง์ ‘ DOM๊ณผ JS๋ฅผ ๋””๋ฒ„๊น…ํ•˜๊ณ , ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ์ง€๋งŒ ํ™•์žฅ ๊ธฐ๋Šฅ์€ ์•ฝ๊ฐ„ ๋‹ค๋ฆ…๋‹ˆ๋‹ค.

์•„๋ž˜์™€ ๊ฐ™์ด ์˜ต์…˜ > ํ™•์žฅ ๊ธฐ๋Šฅ > ๋Œ€์ƒ ํ™•์žฅ ๊ธฐ๋Šฅ > ๋ทฐ ๊ฒ€์‚ฌ ์—์„œ ์ง์ ‘ ๋ถ„์„ํ•  ํŽ˜์ด์ง€๋ฅผ ์ง€์ •ํ•˜์—ฌ DevTools๋ฅผ ์—ด ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

DevTools๋กœ๋Š” background page์— ์˜ฌ๋ผ์˜จ js๋“ค๊ณผ view html๋“ค์— ๋Œ€ํ•ด์„œ ๋ถ„์„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ๋“ค์–ด ๋ณด๋ฉด ์œ„ ํ™•์žฅ์— ์žˆ๋˜ util.js์˜ ํŠน์ • ํ•จ์ˆ˜๋ฅผ ๋ณด๊ณ  ํ…Œ์ŠคํŠธํ•˜๊ณ  ์‹ถ์„ ๋•Œ DevTools์— ์˜ฌ๋ผ์˜จ DOM์—๋Š” ์ด๋ฏธ ๋กœ๋“œ๋˜์—ˆ๊ธฐ ๋•Œ๋ฌธ์— ๋ฐ”๋กœ ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ์–ด์ง‘๋‹ˆ๋‹ค.

cat util.js
"use strict";function err(ex){if(ex!=null)console.error(ex,ex.message,chrome.runtime.lastError);else console.error(chrome.runtime.lastError);}function myParseInt(value){try{value=value.trim();if(/^(\-|\+)?([0-9]+|Infinity)$/.test(value))return Number(value);}catch(ex){err(ex);}return NaN;}function hostM(host,isProxy){try{let hp={};let i=host.lastIndexOf(':');if(i!=-1){hp.port=host.substring(i+1);let em=null;if(hp.port.length==0)em=chrome.i18n.getMessage('notSpecified');else{let n=myParseInt(hp.port);if(isNaN(n))

์ด๋Ÿฌ๋ฉด ๋ถ„์„์ด ํ•œ์ธต ๋” ์‰ฌ์›Œ์ง‘๋‹ˆ๋‹ค ๐Ÿ˜Ž

๋งŒ์•ฝ popup.html ์ด์™ธ view ํŽ˜์ด์ง€๊ฐ€ ๋ณ„๋„๋กœ ์žˆ๋‹ค๋ฉด ์ง์ ‘ ์ ‘๊ทผํ•ด์„œ ๋ถ„์„ํ•˜์…”๋„ ๋ฉ๋‹ˆ๋‹ค. (๊ฐ€๋Šฅํ•˜๋ฉด ์ด๊ฒŒ ์ œ์ผ ํŽธํ•˜๊ฒ ์ฃ )

Testing user intput / output (for all the things)

ํ™•์žฅ ๊ธฐ๋Šฅ์€ ๋ธŒ๋ผ์šฐ์ €์—์„œ ๋™์ž‘ํ•˜๋Š” ์›น ํŽ˜์ด์ง€์ด๊ธฐ ๋•Œ๋ฌธ์— ์ผ๋ฐ˜์ ์ธ ์›น ํŽ˜์ด์ง€์™€ ๋™์ผํ•œ ์ ๊ฒ€ ํฌ์ธํŠธ๋ฅผ ๊ฐ€์ง‘๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์ธ์ž๊ฐ’์ด๋‚˜ ๋ฐ์ดํ„ฐ๋ฅผ ํŒŒ๋ผ๋ฏธํ„ฐ ๋“ฑ์„ ํ†ตํ•ด ์ „๋‹ฌํ•˜๋Š”๊ฒŒ ์•„๋‹Œ, PostMessage๋‚˜ Storage, DOM Read/Write๋ฅผ ํ†ตํ•ด์„œ ๊ณต์œ /์‚ฌ์šฉํ•˜๊ฒŒ ๋˜๋Š”๋ฐ, ์ด ๋ถ€๋ถ„๋“ค์ด ์ฃผ์š” ์ ๊ฒ€ ํฌ์ธํŠธ๊ฐ€ ๋ฉ๋‹ˆ๋‹ค.

PostMessage์˜ ๊ฒฝ์šฐ ์˜ˆ์ „์— ์“ด ๊ธ€์ด ์žˆ์œผ๋‹ˆ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

์•„๋ฌดํŠผ ํ™•์žฅ๊ธฐ๋Šฅ์—์„œ ๋ฐ์ดํ„ฐ๋ฅผ ๊ฐ€๊ณตํ•˜๊ณ  ์‚ฌ์šฉํ•˜๋Š” ๋ถ€๋ถ„์ด ์ค‘์  ํฌ์ธํŠธ๊ณ , ์ผ๋ฐ˜ ์›น ์ ๊ฒ€์— ๋น„ํ•ด์„œ ์กฐ๊ธˆ ๋” ํŠน๋ณ„ํ•œ ๋ถ€๋ถ„์ด ์žˆ๋‹ค๋ฉด background page์— ๊ด€ํ•œ ๋ถ€๋ถ„ ๋•Œ๋ฌธ์ธ๋ฐ์š”, ํ™•์žฅ ๊ธฐ๋Šฅ์€ ์•„๊นŒ ์œ„์—์„œ ๋ดค๋“ฏ์ด manifest์— permission์„ ๋ช…์‹œํ•˜๊ณ , ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ ๋™์˜๋ฐ›์•„ ํ•ด๋‹น ๊ถŒํ•œ์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ์ด ๋•Œ ํ™•์žฅ ๊ธฐ๋Šฅ์— ๋‚ด๋ถ€์— XSS ๋“ฑ์œผ๋กœ js ์ฝ”๋“œ๋ฅผ ์‚ฝ์ž…ํ•  ์ˆ˜ ์žˆ์–ด์ง€๋Š” ๊ฒฝ์šฐ์—”, ์ผ๋ฐ˜์ ์ธ XSS์™€ ๋‹ค๋ฅด๊ฒŒ Browser Extension API๋ฅผ ์ง์ ‘ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์–ด, ๊ถŒํ•œ์— ๋”ฐ๋ผ ์ถ”๊ฐ€์ ์ธ ๋ฆฌ์Šคํฌ๋ฅผ ๊ฐ€์ง€๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

Testing with iframe (for xs-leak, clickjacking)

manifest.json์—์„œ web_accessible_resources ๋ž€ ๋ถ€๋ถ„์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ์™ธ๋ถ€์—์„œ ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ์ง์ ‘ ์ ‘๊ทผ์„ ์–ด๋””๊นŒ์ง€ ํ—ˆ์šฉํ•  ๊ฒƒ์ธ๊ฐ€์— ๋Œ€ํ•œ ์ •์ฑ…์ธ๋ฐ ๋ณดํ†ต์€ ํ—ˆ๊ฐ€ํ•  ๋ฆฌ์†Œ์Šค๋งŒ ๋ช…์‹œํ•˜์ง€๋งŒ ๋•Œ์— ๋”ฐ๋ผ์„œ ์•„๋ž˜์™€ ๊ฐ™์ด * ๋“ฑ์œผ๋กœ ์ œ์–ดํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. (๋ฌผ๋ก  ํ—ˆ์šฉ ๋ฆฌ์†Œ์Šค์— ์ค‘์š” ํŽ˜์ด์ง€๊ฐ€ ์žˆ์œผ๋ฉด ๊ทธ๊ฒƒ ๋˜ํ•œ ๋ฌธ์ œ๊ฐ€ ๋˜๊ฒ ์ฃ )

{
  "web_accessible_resources" : "*"
}

์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ ์™ธ๋ถ€์—์„œ ์•„๋ž˜์™€ ๊ฐ™์ด ID๊ฐ’์„ ํ†ตํ•ด iframe์œผ๋กœ ํŽ˜์ด์ง€ ๋‚ด๋ถ€์— frame์œผ๋กœ ์‚ฝ์ž…ํ•  ์ˆ˜ ์žˆ์–ด์ง‘๋‹ˆ๋‹ค.

<iframe src="chrome-extension://phbjaiacjbplfmapmlljdoacomhbpfoe/setting.html"></iframe>

์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ, ClickJacking์ด๋‚˜ XS-Leak ๋“ฑ์— ๋…ธ์ถœ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

A major weakness

์‚ฌ์‹ค ๋ญ ๋‹ค ์ค‘์š”ํ•˜๊ฒ ์ง€๋งŒ, ๋ช‡๊ฐ€์ง€ ์ถ”๋ ค๋ดค์Šต๋‹ˆ๋‹ค.

XSS

๋Œ€๋‹ค์ˆ˜ ์›น ์ทจ์•ฝ์ ์ด ํฌ์ธํŠธ๊ฐ€ ๋˜๊ฒ ์ง€๋งŒ, ๊ทธ์ค‘์—์„œ๋„ XSS๋Š” ๊ฐ€์žฅ ์ค‘์ ์ ์œผ๋กœ ๋ด์•ผํ•  ๋ถ€๋ถ„์ผ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค. ์•„๋ฌด๋ž˜๋„ ํด๋ผ์ด์–ธ๋“œ ๋‹จ์—์„œ ๋„๋ฉ”์ธ ๊ธฐ๋ฐ˜์˜ ๋ฆฌ์Šคํฌ๊ฐ€ ์•„๋‹Œ, ๊ด‘๋ฒ”์œ„ํ•œ UXSS๋‚˜ Browser API๋ฅผ ํ†ตํ•œ ์ถ”๊ฐ€์ ์ธ ๊ณต๊ฒฉ๊นŒ์ง€ ์ด์–ด์งˆ ์ˆ˜ ์žˆ์–ด์„œ ํ™•์žฅ ๊ธฐ๋Šฅ์—์„  ์กฐ๊ธˆ ๋” ์ค‘์š”ํ•œ ๋ถ€๋ถ„์œผ๋กœ ๋ณด์ž…๋‹ˆ๋‹ค. (๋งˆ์น˜ Public Cloud ํ™˜๊ฒฝ์—์„œ SSRF๊ฐ€ ์ค‘์š”๋„๋ฅผ ๋งŽ์ด ๊ฐ€์ ธ๊ฐ”๋˜ ๊ฒƒ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค ๐Ÿ˜)

Bypass CSP

๋ธŒ๋ผ์šฐ์ € ํ™•์žฅ ๊ธฐ๋Šฅ์—์„œ CSP๋Š” Manifest์— ๋ช…์‹œํ•ฉ๋‹ˆ๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ์•Œ๋ ค์ง„ CSP ์šฐํšŒ ๋ฐฉ๋ฒ•์„ ํ†ตํ•ด์„œ CSP ์ •์ฑ…์„ ์šฐํšŒํ•  ์ˆ˜ ์žˆ๊ณ , XSS ์ทจ์•ฝ์ ์ด ์กฐ๊ธˆ ๋” ๋ฆฌ์Šคํฌ๋ฅผ ๊ฐ€์ง€๋Š”๋ฐ ์žˆ์–ด์„œ ํฐ ๋„์›€์„ ์ค„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Click Jacking

web_accessible_resources ์„ค์ •์— ๋”ฐ๋ผ์„œ ๋‚˜์˜ฌ ํ™•๋ฅ ์ด ๋†’์€ ๋ถ€๋ถ„์ž…๋‹ˆ๋‹ค. ํŽ˜์ด์ง€์— ์ค‘์š”ํ•œ ๊ธฐ๋Šฅ์ด ์žˆ๋‹ค๋ฉด ๊ณต๊ฒฉ์œผ๋กœ ์„ฑ๊ณต์‹œํ‚ค๊ธฐ ์œ ๋ฆฌํ•ฉ๋‹ˆ๋‹ค. samy์˜ quick jack ๊ฐ™์€ ๋„๊ตฌ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์กฐ๊ธˆ ๋” ์‰ฝ๊ฒŒ PoC ๊ตฌ์„ฑ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

Javascript CVE

๋‹น์—ฐํžˆ ์›น ๊ธฐ๋ฐ˜์˜ ํŽ˜์ด์ง€๋ผ์„œ Javascript ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ๊ณต๊ฐœ ์ทจ์•ฝ์ ์— ์˜ํ–ฅ์„ ๋ฐ›์Šต๋‹ˆ๋‹ค. ์—…๋ฐ์ดํŠธ๋ฅผ ์œ„ํ•ด์„  ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ํŒจํ‚ค์ง€ ์—…๋ฐ์ดํŠธ๊ฐ€ ํ•„์š”ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ผ๋ฐ˜์ ์œผ๋กœ ์›น ํŽ˜์ด์ง€๋ณด๋‹จ ์—…๋ฐ์ดํŠธ๊ฐ€ ๋Š๋ฆฐํŽธ์ž…๋‹ˆ๋‹ค. retire.js ๋“ฑ์œผ๋กœ ์‰ฝ๊ฒŒ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

API server security

ํ™•์žฅ ๊ธฐ๋Šฅ์— ์—ฐ๋™๋˜๋Š” API ์„œ๋ฒ„๋Š” ์ฃผ์š” ๋ถ„์„ ๋Œ€์ƒ์ด ๋ฉ๋‹ˆ๋‹ค. ๋‹น์—ฐํžˆ ์—ฌ๊ธฐ์„œ ๋ณดํŽธ์ ์ธ ์ทจ์•ฝ์ ์„ ์ฐพ์„ ์ˆ˜ ์žˆ๊ณ , ์ด์–ด์„œ ํ™•์žฅ ๊ธฐ๋Šฅ๊ณผ์˜ ์—ฐ๋™์„ฑ๋„ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ํ™œ์šฉํ•˜๋ฉด ํ™•์žฅ ๊ธฐ๋Šฅ ์ž์ฒด์—๋„ ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ๋Š” ์ทจ์•ฝ์ ์„ ๋งŒ๋“ค์–ด๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์˜ˆ๋ฅผ๋“ค๋ฉด.. API Server ๋‚ด ์ž„์˜์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์ €์žฅ์‹œํ‚ค๋Š” ์ทจ์•ฝ์ ์ด ์žˆ๊ณ , ์ด ๋ฐ์ดํ„ฐ๊ฐ€ ํ™•์žฅ ๊ธฐ๋Šฅ์—์„œ XSS๋กœ ๋™์ž‘ํ•œ๋‹ค๋ฉด, UXSS ๋˜๋Š” Browser Extension API๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ๊นŒ์ง€ ์ด์–ด์งˆ ์ˆ˜ ์žˆ์–ด ๋ฆฌ์Šคํฌ๋ฅผ ๋†’์ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

References