Password managers, such as Okta Browser Plugin can defend against phishing attacks. However, to prevent the compromise of passwords, password managers need to be hardened against attacks that confuse them into misidentifying websites. To help achieve this, the Okta Research and Exploitation team (REX) has created a tool, hack_url_re, to automatically detect certain vulnerabilities in pattern matching code, “regular expressions" in particular, that are often used in password managers to identify websites. It reduces the chances of a subtle mistake slipping past human eyes and making its way into production.
The tool applies sophisticated automated reasoning using the Microsoft Z3 Prover tool by Microsoft. When it reports an issue, hack_url_re outputs a justification for its results that is easy to validate, either automatically or manually. The tool introduces various techniques to achieve a good balance of efficiency, simplicity, and thoroughness, with options for choosing the levels of analysis. The Okta REX team hopes this tool assists you in finding possible vulnerabilities and developing new tools for your own automated hacking.
For the full technical breakdown of hack_url_re, check out my post Using hack_url_re to Auto Detect Website Spoofing Vulnerabilities on our Security blog.