Conference:  Black Hat Asia 2023

Authors: Ziling Chen, Nan Wang, Hongli Han

2023-05-12

Nowadays, multiple mitigation mechanisms have gradually been added to Google Chrome in order to reduce the traditional RCE attack surfaces (e.g., V8 and Blink), which greatly increases the attack difficulty. Besides these well-known attack surfaces, we found SQLite can be directly accessed by remote attackers via Chrome WebSQL API.In this talk, we will present a mutation-based Fuzzer towards WebSQL. By leveraging extra syntax tree and context analysis, the fuzzer substantially improves the syntactic and semantic correctness of the generated SQL samples, and uncovered new vulnerabilities in WebSQL.Most of the acknowledged CVEs related to WebSQL were discovered by our fuzzer since the SQL statement whitelist restriction has been enhanced in Chrome WebSQL in 2020. Furthermore, the identified vulnerabilities were all rated as high severity. The details and exploits of these vulnerabilities will also be shared by us.

Conference:  Global AppSec Dublin 2023

Authors: Gil Cohen, Omri Inbar

2023-02-16

Two vulnerable websites which were found to be vulnerable to CRLF injection, caused Google Chrome to behave differently. This trigged an exciting research journey ending in finding weaknesses in reverse proxies, Chrome and other browsers as well as a new hacking technique named Frontend server hijacking or Frontjacking in short. Frontjacking combines CRLF injection, poorly configured servers and shared hosting, enables attackers to execute any reflected XSS and phishing related payloads while bypassing any defensive mechanisms including CSP (Content Security Policy), HttpOnly cookie attributes, WAFs (Web Application Firewalls), CORS (Cross Origin Resource Sharing) and HTTPS certificate validation.