Download - I'm in your browser, pwning your stuff
![Page 1: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/1.jpg)
I’m in your browser,pwning your stuff!
Atakowanie poprzez rozszerzenia Google Chrome
Krzysztof Kotowicz
![Page 2: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/2.jpg)
/whoami
• IT security consultant @ SecuRing
• Web security research(BlackHat, BruCON, Confidence, ...)
• blog.kotowicz.net
• @kkotowicz
![Page 3: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/3.jpg)
Plan
• Po co atakować (poprzez) rozszerzenia Google Chrome?
• Jak to robić?
• Nie da się prościej?
![Page 4: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/4.jpg)
Po co?
![Page 6: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/6.jpg)
http://www.flickr.com/photos/hans905/4124897248/in/photostream/
![Page 7: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/7.jpg)
Same origin policy
• XSS - wykonanie kodu w ramach origin ofiary
• CSRF - wykonanie u ofiary akcji żądaniem z origin atakującego
x = new XMLHttpRequest()x.open(“POST”, “//victim.pl”)x.send(“delete_account&id=1”)
“><script>alert(document.cookie)</script>
![Page 8: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/8.jpg)
Text
http://www.flickr.com/photos/dimi15/707990005/in/photostream/
![Page 9: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/9.jpg)
SOP bypass
• //superevr.com/blog/2012/top-level-universal-xss/
• //blog.detectify.com/post/32947196572/universal-xss-in-opera
• Rzadkie, ograniczone zastosowanie
• Polegają na błędach w przeglądarkach
![Page 10: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/10.jpg)
![Page 12: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/12.jpg)
http://www.flickr.com/photos/iloveblue/3302032125/in/photostream/
![Page 13: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/13.jpg)
Rozszerzenia Chrome
• Aplikacje HTML5
• html, javascript, css
• Spakowane do pliku .crx
• podpisany zip
• Instalacja poprzez Chrome Web Store
• lub manualnie
![Page 14: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/14.jpg)
Rozszerzenia Chrome
• Uprawnienia określone w pliku manifest.json
• Dostęp do wielu ważnych API
• chrome.tabs
• chrome.bookmarks
• chrome.history
• chrome.cookies
• NPAPI plugins
![Page 15: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/15.jpg)
Rozszerzenia Chrome
• Rozszerzenia to aplikacje HTML
• Te same klasy podatności
• w tym XSS
![Page 16: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/16.jpg)
Rozszerzenia Chrome
• XSS w rozszerzeniu może oznaczać
• UXSS
• dostęp do historii URL
• dostęp r/w do cookies
• dostęp do plików
• wykonanie dowolnego kodu
![Page 17: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/17.jpg)
![Page 18: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/18.jpg)
Jak?
![Page 19: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/19.jpg)
![Page 20: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/20.jpg)
DOM
![Page 21: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/21.jpg)
DOM
js.js
![Page 22: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/22.jpg)
content script.js
DOM
js.js
![Page 23: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/23.jpg)
content script.js
getElementById(),
createElement(),
innerHTM
L
DOM
js.js
![Page 24: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/24.jpg)
view.html
content script.js
getElementById(),
createElement(),
innerHTM
L
DOM
js.js
![Page 25: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/25.jpg)
view.html
content script.js
getElementById(),
createElement(),
innerHTM
L
DOM
background.jsjs.js
![Page 26: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/26.jpg)
view.html
content script.js
getElementById(),
createElement(),
innerHTM
L
DOM
background.js
APIcookies, history, tabs, plugins, ...
js.js
![Page 27: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/27.jpg)
view.html
content script.js
getElementById(),
createElement(),
innerHTM
L
DOM
background.js
chrome.*
APIcookies, history, tabs, plugins, ...
js.js
![Page 28: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/28.jpg)
view.html
content script.js
getElementById(),
createElement(),
innerHTM
L
DOM
chro
me.exte
nsion
.
sendR
eque
st
background.js
chrome.*
APIcookies, history, tabs, plugins, ...
js.js
![Page 29: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/29.jpg)
view.html
content script.js
DOM
background.js
API
js.js
![Page 30: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/30.jpg)
view.html
content script.js
DOM
background.js
API
js.js
![Page 31: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/31.jpg)
view.html
content script.js
DOM
background.js
API
js.js
![Page 32: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/32.jpg)
view.html
content script.js
DOM
background.js
API
js.js
![Page 33: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/33.jpg)
view.html
content script.js
DOM
background.js
API
js.js
chrome.tabs.executeScript
![Page 34: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/34.jpg)
Podatności
![Page 35: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/35.jpg)
XSS w content script
• content script otrzymuje dane
• z view
• z DOM
• umieszcza je bez escape’owania w DOM
![Page 36: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/36.jpg)
view.html
content script.js
DOM
background.js
chrome.*
APIcookies, history, tabs, plugins, ...
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
![Page 37: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/37.jpg)
view.html
content script.js
DOM
background.js
chrome.*
APIcookies, history, tabs, plugins, ...
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
![Page 38: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/38.jpg)
view.html
content script.js
DOM
background.js
chrome.*
APIcookies, history, tabs, plugins, ...
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
![Page 39: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/39.jpg)
XSS w content script
• Skutki:
• dostęp do DOM
• nieograniczony XHR
DEMO - zzzap-itchrome.tabs.executeScript(null, { code: "(" + funcLaunchZzzapIt.toString() + ")('" + tab.url.replace("'","\\'") + "', '" + tab.title.replace("'","\\'") + "', 'open')"});
![Page 40: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/40.jpg)
XSS w view
• content-script bierze dane z DOM strony
• wysyła je do view
• view wyświetla je bez escape’owania
![Page 41: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/41.jpg)
view.html
content script.js
DOM
background.js
chrome.*
APIcookies, history, tabs, plugins, ...
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
![Page 42: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/42.jpg)
view.html
content script.js
DOM
background.js
chrome.*
APIcookies, history, tabs, plugins, ...
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
![Page 43: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/43.jpg)
view.html
content script.js
DOM
background.js
chrome.*
APIcookies, history, tabs, plugins, ...
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
![Page 44: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/44.jpg)
XSS w view
• Skutki
• możliwość persystencji w tle
• dostęp do chrome.* API (limitowany uprawnieniami)
<link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>"href="/rss.rss">
DEMO - Slick RSS: feed finder
![Page 45: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/45.jpg)
Podatności w NPAPI
• Zawartość ze strony trafia do view
• View przekazuje ją do pluginu NPAPI
• Wywołanie podatności w pluginie
![Page 46: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/46.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPI
![Page 47: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/47.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPI
![Page 48: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/48.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPI
![Page 49: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/49.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPI
![Page 50: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/50.jpg)
![Page 51: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/51.jpg)
Podatności w NPAPI
• Przykład: cr-gpg 0.7.8
string cmd = "c:\\windows\\system32\\cmd.exe /c ";cmd.append(gpgFileLocation);cmd.append("-e --armor");cmd.append(" --trust-model=always");for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i));}
![Page 52: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/52.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 53: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/53.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 54: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/54.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 55: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/55.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 56: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/56.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 57: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/57.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 58: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/58.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 59: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/59.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 60: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/60.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 61: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/61.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 62: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/62.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 63: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/63.jpg)
view.html
content script.js
DOM
background.js
chrome.*
API
js.js
getElementById(),
createElement(),
innerHTM
L
chro
me.exte
nsion
.
sendR
eque
st
NPAPIcmd.exegpg.exe
![Page 64: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/64.jpg)
Prościej?
![Page 65: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/65.jpg)
• alert(1) - i co dalej?
• Potrzebne narzędzie do automatyzacji
• Jak BeEF, ale do eksploitacji rozszerzeń Chrome
http://www.flickr.com/photos/josephwuorigami/3165180003/
![Page 66: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/66.jpg)
![Page 67: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/67.jpg)
Eksploitacja
• Monitorowanie tabów
• Wykonanie JS na każdym tabie
• Wyciąganie HTML
• Odczyt/zapis cookies
• Manipulacja historią
• Ustawienia proxy
![Page 68: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/68.jpg)
Uruchamianie serwera$ php -vPHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42) Copyright (c) 1997-2012 The PHP GroupZend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans
$ php server.php 2>command.logXSS ChEF serverby Krzysztof Kotowicz - kkotowicz at gmail dot com
Usage: php server.php [port=8080] [host=127.0.0.1]Communication is logged to stderr, use php server.php [port] 2>log.txt2012-07-22 12:40:06 [info] Server created2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:80802012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1...
![Page 69: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/69.jpg)
Hook code
![Page 70: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/70.jpg)
Konsola
![Page 71: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/71.jpg)
Wybór sesji
![Page 72: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/72.jpg)
Payloady
![Page 73: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/73.jpg)
Screenshoty
![Page 74: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/74.jpg)
![Page 75: I'm in your browser, pwning your stuff](https://reader034.vdocuments.pub/reader034/viewer/2022052504/54b6d3824a79596f468b46f9/html5/thumbnails/75.jpg)
Pytania?
• https://github.com/koto/xsschef
• @kkotowicz