Skip to content

Commit 1f8e5bf

Browse files
zachroofseczachroofsec
committed
Updating for ep13-clipboard-attacks
1 parent e537c5e commit 1f8e5bf

File tree

1 file changed

+188
-0
lines changed

1 file changed

+188
-0
lines changed

ep13-clipboard-attacks/readme.org

Lines changed: 188 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,188 @@
1+
#+TITLE: Browser Clipboard Attacks
2+
#+DATE: Attacks/Defense
3+
#+AUTHOR: Zach Roof
4+
* Browser Clipboard Attacks/Defense :ep_3:
5+
:PROPERTIES:
6+
:CUSTOM_ID: h-6C0AE174-9CC6-48AF-9C2D-61D94246BF20
7+
:END:
8+
** Table Of Contents :toc_3_gh:injection:noexport:
9+
:PROPERTIES:
10+
:CUSTOM_ID: h-E2FCBD6C-BE30-4131-A6AE-844E0BE39093
11+
:END:
12+
- [[#browser-clipboard-attacksdefense][Browser Clipboard Attacks/Defense]]
13+
- [[#talk-scope][Talk Scope]]
14+
- [[#css-attack-ex][CSS Attack Ex]]
15+
- [[#css-attack-ex-cont][CSS Attack Ex (CONT.)]]
16+
- [[#clipboard-apis-documentexeccommand][Clipboard APIs: document.execCommand()]]
17+
- [[#javascript-attack-ex][Javascript Attack Ex]]
18+
- [[#clipboard-apis-clipboard-api][Clipboard APIs: Clipboard Api]]
19+
- [[#future-js-clipboard-attacks][Future JS Clipboard Attacks?]]
20+
- [[#clipboard-fingerprinting][Clipboard Fingerprinting]]
21+
- [[#mitigations-zero-width-characters][Mitigations: Zero-width Characters]]
22+
- [[#mitigations-terminal-attacks][Mitigations: Terminal Attacks]]
23+
- [[#mitigations-terminal-attacks-cont][Mitigations: Terminal Attacks (CONT.)]]
24+
- [[#other-vectorsissues][Other Vectors/Issues]]
25+
- [[#additional-resources][Additional Resources]]
26+
27+
** Talk Scope
28+
:PROPERTIES:
29+
:CUSTOM_ID: h-853FB39F-D352-437D-BFA7-1B19A6A40BC7
30+
:END:
31+
#+ATTR_REVEAL: :frag (default)
32+
1. Live example of a CSS clipboard attack
33+
- Can give the attacker remote code execution
34+
2. Live example of a Javascript clipboard issue
35+
- Understand how invisible characters in your clipboard can invade your privacy
36+
3. Learn how clipboard attack mitigations can be bypassed
37+
3. Learn secure ways of interacting with our clipboard
38+
39+
** CSS Attack Ex
40+
:PROPERTIES:
41+
:CUSTOM_ID: h-2925C23B-AAD6-42D6-A7EF-A5D9A2BBF8A5
42+
:END:
43+
#+ATTR_REVEAL: :frag (default)
44+
+ Env Setup
45+
+ ~docker run -it ubuntu bash~
46+
+ ~apt-get update && apt-get install -y git~
47+
+ Will give you a safe terminal prompt
48+
+ [[https://sts.tools/clipboard-attacks-css]]
49+
+ Paste in Version #1 and Version #2 into the terminal
50+
+ What differences do you notice?
51+
52+
** CSS Attack Ex (CONT.)
53+
:PROPERTIES:
54+
:CUSTOM_ID: h-2461EC89-6955-48B6-8DD6-75D81C09B7E2
55+
:END:
56+
#+ATTR_REVEAL: :frag (default)
57+
+ Phishing
58+
+ Attacker puts link in ~<div>~
59+
+ ~Check out this new bitcoin exchange at https://exchange.example.com~
60+
+ User can't click the link, so they copy/paste
61+
+ Attacker places ~https://evil-exchange.example.com~ into the clipboard
62+
+ Further obfuscation
63+
+ Could remove itself from ~$HOME/.bash_history~
64+
+ How does the CSS Vector compare with the Javascript Vector?
65+
66+
** Clipboard APIs: document.execCommand()
67+
:PROPERTIES:
68+
:CUSTOM_ID: h-5A0E8A03-62B7-4B04-AC7E-12AE8D6D5110
69+
:END:
70+
#+ATTR_REVEAL: :frag (default)
71+
+ [[https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand][document.execCommand()]]
72+
+ Cross-Browser Clipboard Access
73+
#+BEGIN_SRC js :noweb yes :export code
74+
document.execCommand('cut');
75+
document.execCommand('copy');
76+
document.execCommand('paste');
77+
#+END_SRC
78+
+ You can use the ~cut~ and ~copy~ commands without any special permission if
79+
you are using them in a short-lived event handler for a user action (for
80+
example, a click handler) - [[https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Interact_with_the_clipboard][Mozilla]]
81+
#+ATTR_REVEAL: :frag (default)
82+
+ ~onclick~ within ~<body>~
83+
+ Much more invasive compared to CSS Vector
84+
85+
** Javascript Attack Ex
86+
:PROPERTIES:
87+
:CUSTOM_ID: h-ACDE2BD1-EE0F-48E7-850A-9085C00E9BCC
88+
:END:
89+
+ https://sts.tools/clipboard-attacks-js
90+
+ Ad networks that allow Javascript execution
91+
#+ATTR_REVEAL: :frag (default)
92+
+ On all bitcoin sites, copy malicious bitcoin address to clipboard
93+
+ "How to Buy X Cryptocurrency" Article
94+
+ Override clipboard to contain attacker controlled bitcoin address
95+
96+
** Clipboard APIs: Clipboard Api
97+
:PROPERTIES:
98+
:CUSTOM_ID: h-F9BEC0B5-CE10-4B14-A0B3-6739D95251C7
99+
:END:
100+
#+ATTR_REVEAL: :frag (default)
101+
+ Experimental technology
102+
+ Meant to give more granular permissions
103+
+ Replacing ~execCommand~
104+
+ Additional Resources
105+
+ Chrome Dev Fiddle
106+
+ https://sts.tools/chrome-team-fiddle
107+
108+
** Future JS Clipboard Attacks?
109+
:PROPERTIES:
110+
:CUSTOM_ID: h-BA9F5016-B0DC-494C-9C9E-C4DBDDBD5D26
111+
:END:
112+
#+ATTR_REVEAL: :frag (default)
113+
+ Potential future attacks as clipboard apis advance
114+
+ What if Javascript could easily copy an image to the clipboard?
115+
#+ATTR_REVEAL: :frag (default)
116+
+ Image Compression Bombs
117+
+ DoS attack
118+
+ To calculate how much memory an image will require to render, simply
119+
multiply the pixel ratio by the bit-depth –– a 50Kx50K pixel, 8-bit (RGB)
120+
image will require about 2.5GB (50,000 x 50,000 x 1 byte = 250,000,000
121+
bytes) - https://bomb.codes/bombs
122+
+ Other Javascript considerations?
123+
+ Clipboard Fingerprinting
124+
125+
** Clipboard Fingerprinting
126+
:PROPERTIES:
127+
:CUSTOM_ID: h-BAB35CDE-C049-4401-BC8F-6B6D88678491
128+
:END:
129+
#+ATTR_REVEAL: :frag (default)
130+
+ Example: https://umpox.github.io/zero-width-detection/
131+
+ Zero-width characters
132+
+ Invisible characters that are not usually displayed
133+
+ How does this work?
134+
#+ATTR_REVEAL: :frag (default)
135+
1. Username is converted to binary
136+
2. Binary username is converted to zero-width characters
137+
3. Inserted zero-width username into the text
138+
+ More info within link above
139+
140+
** Mitigations: Zero-width Characters
141+
:PROPERTIES:
142+
:CUSTOM_ID: h-675CE99A-A8F1-4B97-9B1F-E82D42CACBCE
143+
:END:
144+
+ https://github.com/chpmrc/zero-width-chrome-extension
145+
146+
** Mitigations: Terminal Attacks
147+
:PROPERTIES:
148+
:CUSTOM_ID: h-336B9DC4-EEA4-4292-AAA6-918C2F9D0A90
149+
:END:
150+
#+ATTR_REVEAL: :frag (default)
151+
+ "Paste Into Vim"
152+
+ [[https://unix.stackexchange.com/questions/355610/is-vim-immune-to-copy-paste-attack][Can have issues]]
153+
+ Paste into CLI utility
154+
+ Pasting ~^Z~ will return to the shell
155+
+ Bracketed Paste Mode
156+
+ When set, pasted text is delimited with control sequences so that the
157+
program can differentiate pasted text from typed-in text
158+
+ What if the attack string contains the closing delimiter?
159+
160+
** Mitigations: Terminal Attacks (CONT.)
161+
:PROPERTIES:
162+
:CUSTOM_ID: h-AA600304-2E71-4E9D-A462-5F8DEAB509AF
163+
:END:
164+
+ Takeaway
165+
#+ATTR_REVEAL: :frag (default)
166+
+ Just inspect the text outside of an execution context :)
167+
+ Chrome address bar doesn't respect newlines
168+
+ iterm ~Advanced Paste Mode~
169+
170+
* Other Vectors/Issues
171+
:PROPERTIES:
172+
:CUSTOM_ID: h-FAF23498-E67F-4C39-B40E-7FB0FBB7356D
173+
:END:
174+
#+ATTR_REVEAL: :frag (default)
175+
+ Copy Pest
176+
+ https://www.youtube.com/watch?v=t7sUajttbDM
177+
+ https://www.slideshare.net/x00mario/copypest
178+
+ Facebook iOS app reading information from clipboard
179+
+ https://news.ycombinator.com/item?id=16034854
180+
181+
* Additional Resources
182+
:PROPERTIES:
183+
:CUSTOM_ID: h-269EC506-6D6C-46D4-8EFC-077CFEED9EC0
184+
:END:
185+
+ Clipboard API
186+
+ https://w3c.github.io/clipboard-apis
187+
+ https://developers.google.com/web/updates/2018/03/clipboardapi
188+
+ https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API

0 commit comments

Comments
 (0)