Скачать или смотреть DEF CON 29 - Barak Sternberg - Extension Land: Exploits and Rootkits in Your Browser Extensions

DEF CON 29 - Barak Sternberg - Extension Land: Exploits and Rootkits in Your Browser Extensions

DEFCONDEFCONDEF CONhacker conferencesecurity conferenceinformation security conferenceinformation securityconference speakershackershackinghacking videossecurity researchDEF CON 29DC29DEF CON 2021Barak SternbergBrowser Extensions

Скачать DEF CON 29 - Barak Sternberg - Extension Land: Exploits and Rootkits in Your Browser Extensions бесплатно в качестве 4к (2к / 1080p)

У нас вы можете скачать бесплатно DEF CON 29 - Barak Sternberg - Extension Land: Exploits and Rootkits in Your Browser Extensions или посмотреть видео с ютуба в максимальном доступном качестве.

Для скачивания выберите вариант из формы ниже:

Информация по загрузке:

Cкачать музыку DEF CON 29 - Barak Sternberg - Extension Land: Exploits and Rootkits in Your Browser Extensions бесплатно в формате MP3:

Если иконки загрузки не отобразились, ПОЖАЛУЙСТА, НАЖМИТЕ ЗДЕСЬ или обновите страницу
Если у вас возникли трудности с загрузкой, пожалуйста, свяжитесь с нами по контактам, указанным в нижней части страницы.
Спасибо за использование сервиса video2dn.com

Описание к видео DEF CON 29 - Barak Sternberg - Extension Land: Exploits and Rootkits in Your Browser Extensions

Browser extensions are installed anywhere, they serve as an integral part of our day-to-day web routine, from AdBlockers to Auto-Translators. But - do we know what is running inside of them? Do we know what goes deep-down inside their communication routines? How do they use their internal API’s? And how do their different JS execution contexts work?

In this session, I will explore these unique internal extension API’s, hidden attack-surfaces and show how these concepts can be broken & exploited using new ways! I start showing how an attacker can "jump" from one low-permissions chrome-app/extension to another, hence elevating its permissions. Then, I will show how to gain full "browser-persistency" inside extensions' background-scripts context.

Chaining it all together, I show how attacker, starting from low permissions chrome-app, gains a fully-armed "extension-rootkit", a persistent JS-malware running inside of a “good” extension, along with C&C features, JS injection techniques to any tab/origin, obfuscation-techniques and more. Eventually, I will present a generic technique, targeting all chrome-users, for taking over any previously installed chrome extension and implant an "extension-rootkit" in it.

REFERENCES:
[1] Chrome Developers: Chrome extensions API Reference, https://developer.chrome.com/docs/ext...
[2] Chrome Developers: Chrome extensions Manfiest v2/v3 Security References, https://developer.chrome.com/docs/ext... & https://developer.chrome.com/docs/ext...
[3] "Websites Can Exploit Browser Extensions to Steal User Data", 2019 - https://www.securityweek.com/websites... / https://www-sop.inria.fr/members/Doli...
[4] "Web Browser Extension User-Script XSS Vulnerabilities", 2020 - https://ieeexplore.ieee.org/document/...
[5] "Detecting DOM-Sourced Cross-Site Scripting in Browser Extensions", 2017 - https://ieeexplore.ieee.org/document/...
[6] "Attacking browser extensions", Nicolas Golubovic, 2016 - https://golubovic.net/thesis/master.pdf
[7] "A Combined Static and Dynamic Analysis Approach to Detect Malicious Browser Extensions", 2018 - https://www.hindawi.com/journals/scn/...
[8] "Chrome Extensions: Threat Analysis and Countermeasures", 2012 - https://citeseerx.ist.psu.edu/viewdoc...
[9] "Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies", Usenix Security 2017 - https://www.usenix.org/system/files/c...
[10] "Protecting Browsers from Extension Vulnerabilities", 2010 - https://static.googleusercontent.com/...

Комментарии

Информация по комментариям в разработке