Conference:  Black Hat Asia 2023

Authors: Ziling Chen, Nan Wang, Hongli Han

2023-05-12

Nowadays, multiple mitigation mechanisms have gradually been added to Google Chrome in order to reduce the traditional RCE attack surfaces (e.g., V8 and Blink), which greatly increases the attack difficulty. Besides these well-known attack surfaces, we found SQLite can be directly accessed by remote attackers via Chrome WebSQL API.In this talk, we will present a mutation-based Fuzzer towards WebSQL. By leveraging extra syntax tree and context analysis, the fuzzer substantially improves the syntactic and semantic correctness of the generated SQL samples, and uncovered new vulnerabilities in WebSQL.Most of the acknowledged CVEs related to WebSQL were discovered by our fuzzer since the SQL statement whitelist restriction has been enhanced in Chrome WebSQL in 2020. Furthermore, the identified vulnerabilities were all rated as high severity. The details and exploits of these vulnerabilities will also be shared by us.