The Sandbox technique has been widely adopted in almost all web browsers and is proven effective for attack mitigation. With the consistent increase of new features in sandbox policy, it has become almost too much of an effort for attackers to exploit. In this presentation, we will discuss how to stay and attack sandbox persistently, even permanently, and how to conduct many unexpected fancy attacks without breaking sandbox's policies.
First, we propose a new attack vector and demonstrate it in real world -- living in sandbox persistently even permanently. We found that evil codes in sandbox can survive after the tab closing by some tricks. Additionally, we researched the mechanism of browser cache, and succeeded in gaining persistence even after browser or device restart. To achieve a permanent attack, we proposed a mind-blowing attack vector called "Clone Attack", through which attackers can clone victims' accounts remotely to achieve long-term control by exploiting the cross-domain vulnerabilities of misconfigured webview.
Surprisingly, we found that many evil things can still be conducted without breaking sandbox but beyond its expectation, such as Credentials Stealing, Lateral Movement and even Side Channel Attack. We did comprehensive research about various sandboxes and summarized all the features, attack vectors and what we can do inside sandboxes of both standalone browsers such as Chrome, Edge, Firefox and Webview in Android, iOS, etc.
By combining these parts, we confirm that many fancy attacks can still be accomplished inside the sandbox and it is difficult, even impossible, to prevent them entirely. Sandbox is the best choice but we should be aware of that it is not the silver bullet for your security.