How to Hack Browser Extension

๐Ÿ” Introduction

Browser Extension์€ ์›น ๋ธŒ๋ผ์šฐ์ €๋ฅผ ์ปค์Šคํ„ฐ๋งˆ์ด์ง•ํ•˜๊ณ  ๋” ํ™•์žฅํ•˜์—ฌ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋„๋ก ์ œ๊ณต๋˜๋Š” ๊ธฐ๋Šฅ์ž…๋‹ˆ๋‹ค. Chrome, Safari, Firefox, Edge ๋“ฑ ๋ฉ”์ด์ € ๋ธŒ๋ผ์šฐ์ €์—์„  ๋ชจ๋‘ ์ง€์›ํ•˜๊ณ  ์žˆ์œผ๋ฉฐ Chrome์„ ๊ธฐ๋ฐ˜์œผ๋กœํ•œ ๋ธŒ๋ผ์šฐ์ €(Brave, Whale ๋“ฑ) ๋˜ํ•œ ๋™์ผํ•˜๊ฒŒ Extension์„ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

์ด ๋ฌธ์„œ๋Š” ์ด๋Ÿฌํ•œ Browser Extension์— ๋Œ€ํ•ด ํ…Œ์ŠคํŒ…ํ•˜๊ณ  ๋ณด์•ˆ์ ์ธ ๋ฌธ์ œ๋ฅผ ์ฐพ๋Š” ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด ์ •๋ฆฌํ•ฉ๋‹ˆ๋‹ค.

Structure

Chrome/Firefox Extension

Chrome๊ณผ Firefox๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ ๋™์ผํ•œ Extension ๊ตฌ์กฐ๋ฅผ ๊ฐ€์ง‘๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ ์ƒํ˜ธ ํ˜ธํ™˜ ๊ฐ€๋Šฅํ•œ Extension๋“ค์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์ ์  ๋ฒ„์ „์ด ์˜ฌ๋ผ๊ฐ์— ๋”ฐ๋ผ ํ˜„์žฌ๋Š” ์•ฝ๊ฐ„ ์ƒ์ดํ•œ ์ฒ˜๋ฆฌ ๊ตฌ์กฐ๋ฅผ ๊ฐ€์ ธ์„œ ํ˜ธํ™˜๋˜์ง€ ์•Š๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Šต๋‹ˆ๋‹ค.

Safari App Extension

Safari app extension์€ Chrome, Firefox์—์„œ ์‚ฌ์šฉํ•˜๋Š” Web Extension๊ณผ ๋‹ค๋ฅด๊ฒŒ Swift ์ฝ”๋“œ๋กœ ๋นŒ๋“œ๋˜๋Š” ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์ž…๋‹ˆ๋‹ค. ์‹ค์ œ ๋‚ด๋ถ€ ๊ตฌ์„ฑ์€ ๋งŽ์ด ๋‹ค๋ฅด์ง€๋งŒ ๊ฒฐ๊ณผ์ ์œผ๋กœ ๋™์ผํ•˜๊ฒŒ DOM ๋‚ด๋ถ€์—์„œ ์ผ๋ถ€ Javascript์™€ HTML๋กœ ์ปจํŠธ๋กคํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์•„๋ž˜ ํ…Œ์ŠคํŒ… ๋ฐฉ๋ฒ•์ชฝ์—์„  ๋™์ผํ•˜๊ฒŒ ํ™•์ธํ•ด๋ณด์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Safari Web Extension

Safari Web Extension์€ Chrome/Firefox์—์„œ ์‚ฌ์šฉํ•˜๋Š” Web Extension ๊ณผ ๋™์ผํ•œ ํ˜•ํƒœ์˜ Extension์ž…๋‹ˆ๋‹ค. App Extension๊ณผ Web Extension์„ ๊ตฌ๋ณ„ํ•˜๋Š” ๋ฐฉ๋ฒ•์€ ์„ค์น˜ ๋ฐฉ๋ฒ•์— ์žˆ์Šต๋‹ˆ๋‹ค.

  • App Extension: AppStore๋ฅผ ํ†ตํ•ด์„œ๋งŒ ์„ค์น˜
  • Web Extension: Chrome๊ณผ ๋™์ผํ•˜๊ฒŒ ํŒŒ์ผ ๊ธฐ๋ฐ˜ ์„ค์น˜

API Documents

๐Ÿ—ก Hack Mechanism

๊ฐ ๋ธŒ๋ผ์šฐ์ €๋งˆ๋‹ค ๋‚ด๋ถ€์ ์ธ ๋™์ž‘ ๋ฐฉ์‹์€ ๋‹ค๋ฅด์ง€๋งŒ, ๊ฒฐ๊ณผ์ ์œผ๋กœ ์ˆ˜ํ–‰ํ•˜๋Š” ๋ฒ”์œ„๋Š” ๋น„์Šทํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์œ ์‚ฌํ•œ ํ˜•ํƒœ๋กœ ๋ชจ๋“  ๋ธŒ๋ผ์šฐ์ € ์ต์Šคํ…์…˜์„ ํ…Œ์ŠคํŠธํ•˜๊ณ  ๋ณด์•ˆ์ ์ธ ๋ฌธ์ œ๋ฅผ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Code audit

๋ธŒ๋ผ์šฐ์ € ์ต์Šคํ…์…˜์€ ZIP ํŒŒ์ผ์ด ๋•Œ๋ฌธ์— ๋‹ค์šด๋กœ๋“œ ํ›„ ์••์ถ•์„ ํ’€์–ด ์†Œ์Šค์ฝ”๋“œ์™€ ๋ฆฌ์†Œ์Šค ๋“ฑ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ ๊ฐ Store์—์„œ๋Š” ์ง์ ‘ ํŒŒ์ผ์„ ์ œ๊ณตํ•ด์ฃผ์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— ์•ฝ๊ฐ„์˜ ํŠธ๋ฆญ์œผ๋กœ ํŒŒ์ผ์„ ์ฐพ์•„์•ผํ•ฉ๋‹ˆ๋‹ค.

Find source code

ํฌ๋กฌ ์ต์Šคํ…์…˜์€ ์„ค์น˜ ์‹œ ์•„๋ž˜ ๊ฒฝ๋กœ์— ์ €์žฅ๋ฉ๋‹ˆ๋‹ค.

  • MacOS: ~/Library/Application\ Support/Google/Chrome/Default/Extensions
  • Linux: ~/.config/google-chrome/Default/Extensions/
  • Windows: C:\Users\<Your_User_Name>\AppData\Local\Google\Chrome\User Data\Default\Extensions

ํ•ด๋‹น ๋””๋ ‰ํ† ๋ฆฌ์—์„œ ํ™•์ธํ•ด๋ณด๋ฉด extension์˜ ํ‚ค ๊ฐ’์œผ๋กœ ํด๋”๊ฐ€ ์กด์žฌํ•ฉ๋‹ˆ๋‹ค.

ll ~/Library/Application\ Support/Google/Chrome/Default/Extensions

# drwx------@ 2 hahwul  staff    64B 12 24 00:37 Temp
# drwx------@ 3 hahwul  staff    96B  9 29  2019 aapocclcgogkmnckokdopfmhonfmgoek
# drwx------@ 3 hahwul  staff    96B  9 29  2019 aohghmighlieiainnegkcijnfilokake
# drwx------@ 3 hahwul  staff    96B 11 14 18:39 apdfllckaahabafndbhieahigkjlhalf
# drwx------@ 3 hahwul  staff    96B  7 12 00:48 baacjfeencnlcclennchejfnbcplfmbb
# drwx------@ 3 hahwul  staff    96B  7  9 00:53 phbjaiacjbplfmapmlljdoacomhbpfoe

extension์˜ ํ‚ค ๊ฐ’์€ ํฌ๋กฌ์˜ ํ™•์žฅ ํ”„๋กœ๊ทธ๋žจ ํŽ˜์ด์ง€์—์„œ ํ™•์ธํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

https://user-images.githubusercontent.com/13212227/103444356-fd22ce00-4caa-11eb-8a0c-a2d4df5dd9ba.png

ํŒŒ์ผ์„ ์ฐพ์•˜๋‹ค๋ฉด ๋ถ„์„ํ•  ๋””๋ ‰ํ† ๋ฆฌ๋กœ ๋ณต์‚ฌํ•ด์™€์„œ ์ž‘์—…์„ ์ง„ํ–‰ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

cp -r ~/Library/Application\ Support/Google/Chrome/Default/Extensions/phbjaiacjbplfmapmlljdoacomhbpfoe .

Manifest

Browser extension์€ ๋Œ€๋ถ€๋ถ„์˜ policy์™€ permission์„ manifest.json ํŒŒ์ผ์— ๋ช…์‹œํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ํŒŒ์ผ์„ ์ฒดํฌํ•˜์—ฌ ํ—ˆ์šฉํ•˜๊ณ  ์žˆ๋Š” ์ •์ฑ…์„ ํŒŒ์•…ํ•˜๊ณ , ์ž˜๋ชป ์‚ฌ์šฉํ•˜๋Š” ์„ค์ •๋“ค์ด ์žˆ๋Š”์ง€ ์ฒดํฌํ•ฉ๋‹ˆ๋‹ค.

{
   "author": "MM3Tools",
   "background": {
      "scripts": [ "util.js", "ProxySwitch.js" ]
   },
   "browser_action": {
      "browser_style": true,
      "default_icon": {
         "16": "img/MM3_16off.png",
         "32": "img/MM3_32off.png"
      },
      "default_popup": "popup.html"
   },
   "commands": {
      "ProxySwitch-1": {
         "description": "1",
         "suggested_key": {
            "default": "Ctrl+Shift+1"
         }
      },
      "ProxySwitch-2": {
         "description": "2",
         "suggested_key": {
            "default": "Ctrl+Shift+2"
         }
      },
      "ProxySwitch-3": {
         "description": "3",
         "suggested_key": {
            "default": "Ctrl+Shift+3"
         }
      },
      "ProxySwitch-4": {
         "description": "4",
         "suggested_key": {
            "default": "Ctrl+Shift+4"
         }
      }
   },
   "default_locale": "en",
   "description": "__MSG_appDescription__",
   "icons": {
      "48": "img/MM3_48.png",
      "96": "img/MM3_96.png"
   },
   "key": "...snip...",
   "manifest_version": 2,
   "name": "MM3-ProxySwitch",
   "options_ui": {
      "open_in_tab": true,
      "page": "setting.html"
   },
   "permissions": [ "storage", "proxy", "browsingData", "http://*/*", "https://*/*" ],
   "short_name": "ProxySwitch",
   "update_url": "https://clients2.google.com/service/update2/crx",
   "version": "2018.332"
}

*๊ฐ ํผ๋ฏธ์…˜์€ https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions ๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”!

Source code

์ต์Šคํ…์…˜ ๋””๋ ‰ํ† ๋ฆฌ ๋‚ด๋ถ€์— ์žˆ๋Š” ์†Œ์Šค์ฝ”๋“œ๋Š” ์‹ค์ œ ๊ตฌ๋™์— ์‚ฌ์šฉ๋˜๋Š” ์ฝ”๋“œ๋“ค์ž…๋‹ˆ๋‹ค. popup.html ๊ฐ™์ด ํŽ˜์ด์ง€๋ฅผ ํ‘œํ˜„ํ•˜๊ธฐ ์œ„ํ•œ markup ๋ถ€ํ„ฐ ์‹ค์ œ ๋™์ž‘์„ ๋‹ด์€ js ํŒŒ์ผ๋“ค์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ์ฝ”๋“œ๋“ค์„ ์‚ดํ”ผ๋ฉด์„œ ์ค‘์š”ํ•œ ๊ฐ’(secret, key ๋“ฑ)์ด ๋…ธ์ถœ๋˜์—ˆ๋Š”์ง€, ์™ธ๋ถ€๋กœ ๋ถ€ํ„ฐ ๋ฐ›์„ ์ˆ˜ ์žˆ๋Š” Input ๋“ค์ด ์žˆ๋Š”์ง€ ์ฒดํฌํ•ฉ๋‹ˆ๋‹ค.

์ฃผ๋กœ ๋ด์•ผํ•  ๋ถ€๋ถ„์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.

  • postMessage
  • SSE
  • webSocket
  • wasm
  • API Call (ajax, xmlhttprequest, etc..)
  • localStorage / sessionStorage

Live audit

Test with devtools

์ต์Šคํ…์…˜์€ ์›น ํŽ˜์ด์ง€์™€ ๋‹ค๋ฅธ ๋ณ„๋„์˜ DOM์—์„œ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค. ์ผ๋ฐ˜ ์›น ํŽ˜์ด์ง€๋ผ๋ฉด DevTools๋ฅผ ์—ด์–ด ์ฒดํฌํ•  ์ˆ˜ ์žˆ์ง€๋งŒ ์ต์Šคํ…์…˜์€ ์ฝ”๋“œ์— ๋”ฐ๋ผ ๋ทฐ๋ฅผ ์ œ๊ณตํ•ด์ฃผ์ง€ ์•Š๊ฑฐ๋‚˜ ๋ทฐ๋ฅผ ํŠธ๋ฆฌ๊ฑฐํ•˜๊ธฐ ์–ด๋ ค์šธ ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿด ๋•Œ ์•„๋ž˜์™€ ๊ฐ™์€ ๋ฐฉ๋ฒ•์œผ๋กœ DOM ์˜์—ญ์„ ์—ด ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์˜ต์…˜ > ํ™•์žฅ ๊ธฐ๋Šฅ > ๋Œ€์ƒ ํ™•์žฅ ๊ธฐ๋Šฅ > ๋ทฐ ๊ฒ€์‚ฌ

https://user-images.githubusercontent.com/13212227/103444418-5c80de00-4cab-11eb-9042-2e85db32c21b.png

๋ทฐ ๊ฒ€์‚ฌ๋ฅผ ํ†ตํ•ด ํŽ˜์ด์ง€๋ฅผ ๋กœ๋“œํ–ˆ๋‹ค๋ฉด background ์— ๊ฐ js ๋“ฑ์ด ์ด๋ฏธ ์˜ฌ๋ผ์˜จ ์ƒํƒœ์ด๊ธฐ ๋•Œ๋ฌธ์— devtools์˜ console ์ด๋‚˜ debugger๋ฅผ ํ†ตํ•ด์„œ ํ…Œ์ŠคํŠธํ•ด๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ํ•จ์ˆ˜ ์ •๋ณด๋Š” ์œ„ ๋ถ„์„์ค‘์ธ ์†Œ์Šค์ฝ”๋“œ์—์„œ cat๊ณผ grep ๋“ฑ์œผ๋กœ ๊ฑธ๋Ÿฌ๋‚ด๋ฉด ์ฐพ์•„๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

cat util.js
"use strict";function err(ex){if(ex!=null)console.error(ex,ex.message,chrome.runtime.lastError);else console.error(chrome.runtime.lastError);}function myParseInt(value){try{value=value.trim();if(/^(\-|\+)?([0-9]+|Infinity)$/.test(value))return Number(value);}catch(ex){err(ex);}return NaN;}function hostM(host,isProxy){try{let hp={};let i=host.lastIndexOf(':');if(i!=-1){hp.port=host.substring(i+1);let em=null;if(hp.port.length==0)em=chrome.i18n.getMessage('notSpecified');else{let n=myParseInt(hp.port);if(isNaN(n))

https://user-images.githubusercontent.com/13212227/103444494-0eb8a580-4cac-11eb-89b9-226f8598260e.png

chrome-extension

๋งŒ์•ฝ ์ต์Šคํ…์…˜์ด popup.html ๋“ฑ view๋ฅผ ์ œ๊ณตํ•œ๋‹ค๋ฉด ์•„๋ž˜ ์ด๋ฏธ์ง€์™€ ๊ฐ™์ด chrome-extension:// ๋ฅผ ํ†ตํ•ด์„œ ์ง์ ‘ ์ ‘๊ทผํ•˜์—ฌ ํ…Œ์ŠคํŠธํ•  ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

https://user-images.githubusercontent.com/13212227/103444589-db2a4b00-4cac-11eb-9d82-0c219378b175.png

์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ ์‹ค์ œ ๋™์ž‘์„ ๋ˆˆ์œผ๋กœ ๋ณด๋ฉด์„œ ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ํ›จ์”ฌ ํŽธ๋ฆฌํ•ฉ๋‹ˆ๋‹ค. ์ฐธ๊ณ ๋กœ chrome-extension:// ํ”„๋กœํ† ์ฝœ ๋˜ํ•œ popup ๋“ฑ ํŽ˜์ด์ง€์—์„œ query parse๋ฅผ ํ†ตํ•ด ๊ฐ’์„ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ ํ…Œ์ŠคํŒ… ํฌ์ธํŠธ๊ฐ€ ๋˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

chrome-extension://vulnapp/landing?c=};alert(45);function a(){//

User input

๋ธŒ๋ผ์šฐ์ € ์ต์Šคํ…์…˜์€ ๊ตฌ๋™ ์‹œ DOM์„ ๊ฐ€์ง€๋Š” ์›น ํŽ˜์ด์ง€๋กœ์จ ์ผ๋ฐ˜ ๋ธŒ๋ผ์šฐ์ง• ์˜์—ญ๊ณผ ๊ฒฉ๋ฆฌ๋˜์–ด ์žˆ๊ธด ํ•˜์ง€๋งŒ, postMessage, SSE ๋“ฑ ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๊ธฐ๋Šฅ๋“ค์„ ํ†ตํ•ด ์›น ํŽ˜์ด์ง€, API ๋“ฑ๊ณผ ํ†ต์‹ ํ•˜๊ณ  DOM ๋‚ด๋ถ€์—์„œ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ๋ธŒ๋ผ์šฐ์ € ์ต์Šคํ…์…˜ ๋˜ํ•œ ์ผ๋ฐ˜ ์›น ํŽ˜์ด์ง€์™€ ๋™์ผํ•˜๊ฒŒ ์›น ์ทจ์•ฝ์ ์˜ ์˜ํ–ฅ์„ ๋ฐ›๋Š”๋‹ค๋Š” ์ด์•ผ๊ธฐ์ž…๋‹ˆ๋‹ค.

์†Œ์Šค์ฝ”๋“œ ๋ถ„์„์œผ๋กœ ์ฐพ์•„๋‚ธ Endpoint ๋“ค์— ๋Œ€ํ•ด์„œ ํ…Œ์ŠคํŠธ๋ฅผ ์ง„ํ–‰ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

A major weakness

Sensitive Data Leak

์ต์Šคํ…์…˜์˜ ๊ธฐ๋Šฅ์— ๋”ฐ๋ผ์„œ ๋‚ด๋ถ€์— ์ค‘์š”ํ•œ ์ •๋ณด๋ฅผ ํฌํ•จํ•˜๊ณ  ์žˆ์„ ๊ฐ€๋Šฅ์„ฑ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ์ •๋ณด๊ฐ€ postMessage ๋“ฑ์„ ํ†ตํ•ด ์™ธ๋ถ€์—์„œ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ๋‹ค๋ฉด ์‚ฌ์šฉ์ž์˜ ์ค‘์š”์ •๋ณด๊ฐ€ ํƒˆ์ทจ๋  ์ˆ˜ ์žˆ๋Š” ์ด์Šˆ๊ฐ€ ๋ฉ๋‹ˆ๋‹ค.

์ผ๋ฐ˜์ ์œผ๋กœ ์ €์žฅ ์œ„์น˜์— ๋Œ€ํ•œ ํ† ๋ก ์ด ๋งŽ์€๋ฐ, manifest v3 ๊ธฐ์ค€์œผ๋กœ ์ค‘์š”์ •๋ณด๋Š” session storage ์ €์žฅํ•˜๋Š” ๊ฒƒ์„ ๊ถŒ๊ณ ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

XSS

๋Œ€๋‹ค์ˆ˜ ์›น ์ทจ์•ฝ์ ์ด ํฌ์ธํŠธ๊ฐ€ ๋˜๊ฒ ์ง€๋งŒ, ๊ทธ์ค‘์—์„œ๋„ XSS๋Š” ๊ฐ€์žฅ ์ค‘์ ์ ์œผ๋กœ ๋ด์•ผํ•  ๋ถ€๋ถ„์ผ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค. ์•„๋ฌด๋ž˜๋„ ํด๋ผ์ด์–ธ๋“œ ๋‹จ์—์„œ ๋„๋ฉ”์ธ ๊ธฐ๋ฐ˜์˜ ๋ฆฌ์Šคํฌ๊ฐ€ ์•„๋‹Œ, ๊ด‘๋ฒ”์œ„ํ•œ UXSS๋‚˜ Browser API๋ฅผ ํ†ตํ•œ ์ถ”๊ฐ€์ ์ธ ๊ณต๊ฒฉ๊นŒ์ง€ ์ด์–ด์งˆ ์ˆ˜ ์žˆ์–ด์„œ ํ™•์žฅ ๊ธฐ๋Šฅ์—์„  ์กฐ๊ธˆ ๋” ์ค‘์š”ํ•œ ๋ถ€๋ถ„์œผ๋กœ ๋ณด์ž…๋‹ˆ๋‹ค.

Bypass CSP

๋ธŒ๋ผ์šฐ์ € ํ™•์žฅ ๊ธฐ๋Šฅ์—์„œ CSP๋Š” Manifest์— ๋ช…์‹œํ•ฉ๋‹ˆ๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ์•Œ๋ ค์ง„ CSP ์šฐํšŒ ๋ฐฉ๋ฒ•์„ ํ†ตํ•ด์„œ CSP ์ •์ฑ…์„ ์šฐํšŒํ•  ์ˆ˜ ์žˆ๊ณ , XSS ์ทจ์•ฝ์ ์ด ์กฐ๊ธˆ ๋” ๋ฆฌ์Šคํฌ๋ฅผ ๊ฐ€์ง€๋Š”๋ฐ ์žˆ์–ด์„œ ํฐ ๋„์›€์„ ์ค„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Javascript CVE

๋‹น์—ฐํžˆ ์›น ๊ธฐ๋ฐ˜์˜ ํŽ˜์ด์ง€๋ผ์„œ Javascript ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ๊ณต๊ฐœ ์ทจ์•ฝ์ ์— ์˜ํ–ฅ์„ ๋ฐ›์Šต๋‹ˆ๋‹ค. ์—…๋ฐ์ดํŠธ๋ฅผ ์œ„ํ•ด์„  ํ™•์žฅ ๊ธฐ๋Šฅ์˜ ํŒจํ‚ค์ง€ ์—…๋ฐ์ดํŠธ๊ฐ€ ํ•„์š”ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ผ๋ฐ˜์ ์œผ๋กœ ์›น ํŽ˜์ด์ง€๋ณด๋‹จ ์—…๋ฐ์ดํŠธ๊ฐ€ ๋Š๋ฆฐํŽธ์ž…๋‹ˆ๋‹ค. retire.js ๋“ฑ์œผ๋กœ ์‰ฝ๊ฒŒ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

API Security

ํ™•์žฅ ๊ธฐ๋Šฅ์— ์—ฐ๋™๋˜๋Š” API ์„œ๋ฒ„๋Š” ์ฃผ์š” ๋ถ„์„ ๋Œ€์ƒ์ด ๋ฉ๋‹ˆ๋‹ค. ๋‹น์—ฐํžˆ ์—ฌ๊ธฐ์„œ ๋ณดํŽธ์ ์ธ ์ทจ์•ฝ์ ์„ ์ฐพ์„ ์ˆ˜ ์žˆ๊ณ , ์ด์–ด์„œ ํ™•์žฅ ๊ธฐ๋Šฅ๊ณผ์˜ ์—ฐ๋™์„ฑ๋„ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ํ™œ์šฉํ•˜๋ฉด ํ™•์žฅ ๊ธฐ๋Šฅ ์ž์ฒด์—๋„ ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ๋Š” ์ทจ์•ฝ์ ์„ ๋งŒ๋“ค์–ด๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

API Server ๋‚ด ์ž„์˜์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์ €์žฅ์‹œํ‚ค๋Š” ์ทจ์•ฝ์ ์ด ์žˆ๊ณ , ์ด ๋ฐ์ดํ„ฐ๊ฐ€ ํ™•์žฅ ๊ธฐ๋Šฅ์—์„œ XSS๋กœ ๋™์ž‘ํ•œ๋‹ค๋ฉด, UXSS ๋˜๋Š” Browser Extension API๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ๊นŒ์ง€ ์ด์–ด์งˆ ์ˆ˜ ์žˆ์–ด ๋ฆฌ์Šคํฌ๋ฅผ ๋†’์ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ›  Environment

Include WASM

๋งŒ์•ฝ WASM(Web Assembly)๊ฐ€ ์ ์šฉ๋œ Extension์ด๋ผ๋ฉด wasm์— ๋Œ€ํ•œ ๋ถ„์„์ด ์ถ”๊ฐ€๋กœ ํ•„์š”ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. wasm ๋ถ„์„์— ๋Œ€ํ•œ ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

์›น ์–ด์…ˆ๋ธ”๋ฆฌ(Web Assembly)๋Š” ์–ด๋–ป๊ฒŒ ๋ณด์•ˆ ์ทจ์•ฝ์  ๋ถ„์„์„ ํ• ๊นŒ์š”?

Inclulde SSE

SSE๊ฐ€ ์ ์šฉ๋œ ์ต์Šคํ…์…˜์ด๋ผ๋ฉด SSE๋ฅผ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๋„๊ตฌ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. ZAP, Burpsuite์—์„œ ๋ชจ๋‘ ๊ฐ€๋Šฅํ•˜๋ฉฐ ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

Cullinan > SSE

Include WebSocket

WebSocket์ด ์ ์šฉ๋œ ์ต์Šคํ…์…˜์ด๋ผ๋ฉด WebSocket๋ฅผ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๋„๊ตฌ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. SSE์™€ ๋™์ผํ•˜๊ฒŒ ZAP, Burpsuite์—์„œ ๋ชจ๋‘ ๊ฐ€๋Šฅํ•˜๋ฉฐ ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

Cullinan > WebSocket

๐Ÿ“š Articles

๐Ÿ“Œ References