I wrote some code to search for the following pattern: 41 56 56 57 55 53 48 83 EC 40 45 89 C6 48 89 D7 48 89 CB 48 8B 05 EE 3E DC 05 48 31 E0 48 89 44Īnd replace it with the below function which will just display a text box with the request data inside. I have walked though doing this in a past blog post. Now that we have the offset we can place a hook to redirect the call from the legitimate SSL_write to our SSL_write function. We can confirm its use by Chrome by searching for xrefs to the string SSL_write in chrome.dll:Īfter a bit of looking I found the function at the offset 0x0000000182ED03E0, I have renamed some variables and functions names so it’s quite clear to see it is the SSL_write function: The source code for the function can be seen below: It will take a pointer to some plaintext data as the buf argument and will write it to the SSL stream pointed to by the ssl argument. They were kind enough to keep the original core function names meaning that SSL_write for example, does the same thing in both OpenSSL and BoringSSL. Somewhere during the development of Chrome, Google decided that OpenSSL wasn’t good enough for them and made their own fork called BoringSSL. So how can we get the same data, just as plaintext before it is encrypted? Lets just target the SSL encryption functions instead. The only problem with this is that WSASend is only going to contain plaintext data when the user is connecting to sites without SSL enabled, which is not likely to be any of the sites we want to steal data from. More detailed information can be found in the developer's privacy policy. The majority of Chromes code is stored inside chrome.dll so loading that into IDA and looking at the xrefs to WSASend I can confirm that assumption. webQsee Web Sniffer & Recorder has disclosed the following information regarding the collection and usage of your data. So its likely that Chrome will be using Winsock for its network communication. I know that I will be targeting Chrome running on windows and also that windows has its own socket library called Winsock. The network service does what it says on the tin… it handles communication with the internet and therefore is guaranteed to be in possession of the sensitive data we are after. Chrome is broken down into 7 different parts, with the most important being the network service, storage service and the renderer. The reason for this is for both security and usability, it allows specific parts of the browser (such as the renderer) to be sandboxed while still allowing other parts of the browser to run without the limitations of the sandbox. Like most browsers Chrome uses a multi-process architecture (as can be seen below): The browser I decided to target was Google Chrome, the simple reason being that it has nearly a 70% market share of desktop browsers so is by far the most popular browser and therefore is the obvious choice to target. So naturally when I found myself with some time to spend on a research project, I decided to spend it abusing this trust! General overview Throw in password managers with browser extensions and you have a natural target for red teams. From an attackers stand point this trust is an amazing thing, as once you have compromised a users workstation there is a process (with close to zero protections) handling a relatively large amount of sensitive data while being used a great deal by a user. They are trained to trust websites which “have a padlock in the address bar” and that “have the correct name”, This trust leads to users feeling comfortable entering their sensitive data into these websites. Visit extension website for more detail.Web browsers are inherently trusted by users. Version detecting is being implemented.Ĭurrently, this extension can detect more than 100 popular CMS and javascript libraries, and more will be added in future releases. An icon will appear on address bar indicates the detected framework. This extension will help web developer to inspect web framework / CMS and javascript library running on current browsing website. ARIA & WCAG Info: Validate Page, ARIA 1.1 Spec, Checklist, etc. Chrome Sniffer is a Chrome extension which shows you small icon/logo of most popular CMSs, Web applications and JavaScript libraries at the address bar in your browser.Ĭhrome Sniffer description from Chrome Web Store: Descriptionĭetect web applications and javascript libraries run on browsing website. Others Tools: aXe console.log(), tota11y, HTMLCodeSniffer, Google A11y Dev Tools, etc. I’m using Awesome Screenshot, Silver Bird Plus (Twitter client), Web Developer, Lorem Ipsum Generator and more.Ī long time ago Mario told me about a very useful extension. As a Chrome user I always try to find out new and helpful extensions for it.
0 Comments
Leave a Reply. |