Bypassing Browser Security Policies for Fun and Profit

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration).

Mobile browsers in comparison to desktop browsers are relatively new and have not gone under same level of scrutiny. Browser vendors have introduced and implemented tons of protection mechanisms against memory corruption exploits, which makes it very difficult to write a reliable exploit that would work under all circumstances. This leaves us with the "other" category of Client Side attacks. In this presentation, we will present our research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy," and "Content Security Policy," etc. We will present several bypasses that were found in various mobile browsers during our research. In addition, we will also uncover other interesting security flaws found during our research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass, etc., as found in Android Browsers. We will also talk about the testing methodology that we used to uncover several android zero days. Apart from the theory, our presentation will also disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses highlighted above, which we identified in the most popular Android third-party web browsers, and in Android WebView itself. We will explain the root cause of the bug and demonstrate their exploitation, show examples of vulnerable code and, where possible, patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of any mobile web/browser.


Presenters:

  • Rafay Baloch - ETISALAT (PTCL)
    Rafay Baloch has been conducting security research for over 6 years. His core research includes bypassing client/server side protections such as WAF and other security mechanisms. He is the author of "Ethical Hacking and Penetration Testing Guide" and has also written several papers on information security, namely "HTML5 Modern Day Attack Vectors" and "Web Application Firewall Bypass." Rafay has helped many organizations find vulnerabities and has produced hundreds of responsible disclosures. He is best known for finding a remote code execution vulnerability inside PayPal for which he was awarded. He also uncovered several zero days in Android browsers, for which he was listed as one of the top 25 threat seekers of 2014 and top 5 ethical hackers of the world by Checkmarkx. Rafay is an active participant in bug bounty programs and is listed in many "Halls of Fame" including Google, Facebook Microsoft, Twitter, and Dropbox.

Links:

Similar Presentations: