Upload
nguyenkhuong
View
218
Download
2
Embed Size (px)
Citation preview
IBM Rational Application Security Group (aka Watchfire)
Active Man in the Middle Attacks
Adi Sharabani
Web Based Man In the Middle Attack © 2009 IBM Corporation1
The OWASP Foundation
OWASP
http://www.owasp.org
Adi Sharabani
Security Research Group Manager
IBM Rational Application Security (a.k.a. Watchfire)
adish
IBM Rational Application Security Group (aka Watchfire)
Agenda
� Background
– Man in the Middle
– Network level – heavily researched
– Web application level – sporadic research
� Outline
Web Based Man In the Middle Attack © 2009 IBM Corporation2
� Outline
– Passive MitM attacks
– Active MitM attacks
– Penetrating an internal network
– Remediation
IBM Rational Application Security Group (aka Watchfire)
Man in the Middle Scenario
� All laptop users connect to a public network
� Wireless connection can easily be compromised or impersonated
� Wired connections might also be compromised
Web Based Man In the Middle Attack © 2009 IBM Corporation3
InternetInternet
IBM Rational Application Security Group (aka Watchfire)
Rules of Thumb – Don’ts …
� Someone might be listening to the requests– Don’t browse sensitive sites
– Don’t supply sensitive information
Web Based Man In the Middle Attack © 2009 IBM Corporation4
� Someone might be altering the responses– Don’t trust any information given on web sites
– Don’t execute downloaded code
IBM Rational Application Security Group (aka Watchfire)
Rules of Thumb – What Can You Do?
� This leaves us with:
– Browse your favorite news site
– Browse your favorite weather site
Web Based Man In the Middle Attack © 2009 IBM Corporation5
InternetInternetNon-sensitive sites
Boring
Sensitive sites
Interesting
IBM Rational Application Security Group (aka Watchfire)
You are still vulnerable
Web Based Man In the Middle Attack © 2009 IBM Corporation6
You are still vulnerable
IBM Rational Application Security Group (aka Watchfire)
Mitigating a Fallacy
� Fallacy–Executing JavaScript on victim == executing an attack
�Reality
Web Based Man In the Middle Attack © 2009 IBM Corporation7
�Reality–Same origin policy
–Executing an attack
–JavaScript + browser implementation bug
–JavaScript + execution on a specific domain
– Can be done through XSS
IBM Rational Application Security Group (aka Watchfire)
Passive Man in the Middle Attacks
Victim browses to a website
Attacker views the requestmanipulates it
and forwards to server
Attacker views the responsemanipulates it
and forwards to victim
Server returns a response
Web Based Man In the Middle Attack © 2009 IBM Corporation8
Other servers are not affected
IBM Rational Application Security Group (aka Watchfire)
Active Man in the Middle Attack
� The attacker actively directs the victim to an “interesting” site� The IFrame could be invisible
Victim browses to a “boring” site
Attack transfers the request to the server
Attacker adds an IFRAME referencing an “interesting” site
Server returns a response
Web Based Man In the Middle Attack © 2009 IBM Corporation9
My Weather ChannelMy Weather Channel
My Bank SiteMy Bank Site
Automatic request sent to the interesting server
My Bank SiteMy Bank Site
Other servers are not affected
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation10
IBM Rational Application Security Group (aka Watchfire)
Stealing Cookies*
� Obvious result� Stealing cookies associated with any domain attacker desires
� Will also work for HTTP ONLY cookies(as opposed to XSS attacks)
Web Based Man In the Middle Attack © 2009 IBM Corporation11
Automatic request contains victim’s cookies
* A similar attack was presented by Sandro Gauci – Surf Jacking
IBM Rational Application Security Group (aka Watchfire)
Demo
Web Based Man In the Middle Attack © 2009 IBM Corporation12
Demo
IBM Rational Application Security Group (aka Watchfire)
Overcoming Same Origin Policy
Attacker forwards the automatic request to the
Attacker injects an IFRAME directing to an “interesting” site
Victim surfs to a “boring” site
� Result
– Attacker can execute scripts on any domain she desires
– Scripts can fully interact with any “interesting” website
� Limitations
– Will only work for non SSL web sites
Web Based Man In the Middle Attack © 2009 IBM Corporation13
Attacker adds a malicious scriptto the response
“interesting” serverScript executes with the “interesting” server’s restrictions
“Interesting” server returns a response
directing to an “interesting” site“boring” site
Automatic request sent to the interesting server
IBM Rational Application Security Group (aka Watchfire)
Secure Connections
Web Based Man In the Middle Attack © 2009 IBM Corporation14
Login Mechanism
IBM Rational Application Security Group (aka Watchfire)
Secure ConnectionsPlease LoginPlease Login
UsernameUsernameUsernameUsernameUsernameUsernameUsernameUsername
PasswordPasswordPasswordPasswordPasswordPasswordPasswordPassword
SUBMITSUBMITSUBMITSUBMIT
jsmith
********
SUBMITSUBMITSUBMITSUBMIT
Victim browses to sitehttp://www.webmail.site
Victim fills login details,and submits the formLogin SuccessfulLogin Successful
Hello John Smith,Hello John Smith,Hello John Smith,Hello John Smith,� Pre-login action sent in clear text� Attacker could alter the pre-login response to make the login
request sent unencrypted
Web Based Man In the Middle Attack © 2009 IBM Corporation15
Site returns a response with login form
Login request is sent through a secure channel
IBM Rational Application Security Group (aka Watchfire)
Stealing Auto Completion Information
Attacker redirect victim to a request to a pre-login page
Attacker returns the original login form together with a malicious script
� Result
– Attacker can steal any auto-completion information she desires
� Limitations
– Will only work for pre-login pages not encrypted
– Will not work seamlessly in IE
Web Based Man In the Middle Attack © 2009 IBM Corporation16
Script accesses the auto-completion information using the DOM
request to a pre-login pageform together with a malicious script
* A passive version of this attack was described by RSnake in his blog
IBM Rational Application Security Group (aka Watchfire)
Demo
Web Based Man In the Middle Attack © 2009 IBM Corporation17
Demo
IBM Rational Application Security Group (aka Watchfire)
Broadening the Attack
Web Based Man In the Middle Attack © 2009 IBM Corporation18
Broadening the Attack
(Time Dimension)
IBM Rational Application Security Group (aka Watchfire)
Passive MitM
AttacksActive MitM
Attacks
Active MitM
Attacks
Web Based Man In the Middle Attack © 2009 IBM Corporation19
AttacksAttacks Attacks
Present(“boring” sites)
Past(“interesting” sites)
Future(“interesting” sites)
IBM Rational Application Security Group (aka Watchfire)
Session Fixation
Attacker redirects victim to the site of interest
Attacker returns a page with a cookie generated by server
A while later,
victim connects to the site(with the pre-provided cookie)
Server authenticates attacker as victim
� Result
– Attacker can set persistent cookies on victim
� Limitations
– The vulnerability also lies within the server
Web Based Man In the Middle Attack © 2009 IBM Corporation20
Cookie is being saved on victim’s computer
to the site of interestcookie generated by server
Attacker uses the same cookie to connect to the server
IBM Rational Application Security Group (aka Watchfire)
Cache Poisoning
Attacker redirects victim to the site of interest
Attacker returns a malicious page with cache setting enabled
A while later,victim visits the site
� Result
– Attacker can poison any page she desires
– Poisoned pages will be persistent
� Limitations
– Attacker can poison non SSL resources
Web Based Man In the Middle Attack © 2009 IBM Corporation21
Page is being cached onvictim’s computer
to the site of interestwith cache setting enabled
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation22
Demo
IBM Rational Application Security Group (aka Watchfire)
Complex Hacking
Web Based Man In the Middle Attack © 2009 IBM Corporation23
Complex Hacking Virtual Private Networks
IBM Rational Application Security Group (aka Watchfire)
Virtual Private Networks (VPN)
� VPN client initialization
– Create a secure network interface
– Set user’s routing table
� VPN client finalization (upon exit or when connection is lost)
– Revert routing table
Do not confuse VPN and HTTPS architectures!
Web Based Man In the Middle Attack © 2009 IBM Corporation24
IBM Rational Application Security Group (aka Watchfire)
VPN Mixed content
� Result� VPN web sites are compromised
� User is not alerted to the security risk�As opposed to SSL mixed content issues
� Limitations� Such mixed content is not widely used
Attacker alters the non-encrypted script
Web Based Man In the Middle Attack © 2009 IBM Corporation25
Internal Web SiteInternal Web Site
<html><html><html><html>
<script<script<script<script
src=src=src=src=http://external/sc.jshttp://external/sc.jshttp://external/sc.jshttp://external/sc.js>>>>
............
Malicious script executes within the secure environmentVictim surfs to a page in
the VPN network
IBM Rational Application Security Group (aka Watchfire)
Hacking Non-Available Sites
� Result� Attacker can view and change any HTTP cache object� Even for non available sites
Web Based Man In the Middle Attack © 2009 IBM Corporation26
IBM Rational Application Security Group (aka Watchfire)
VPN Cache Injection
Attacker disconnects connection to VPN Server
After routing table is updated, Attacker poisons the cache of an
internal siteAttacker recovers connection
Cached resource loads and malicious cached script executes
Attacker redirects victim to cached resource
� Result� VPN is great for the network level
� VPN is not enough for the application level� This attack could be applied to other application protocols!
Web Based Man In the Middle Attack © 2009 IBM Corporation27
IBM Rational Application Security Group (aka Watchfire)
Complex Hacking
Web Based Man In the Middle Attack © 2009 IBM Corporation28
Complex Hacking Intranet Networks
IBM Rational Application Security Group (aka Watchfire)
Penetrating Internal Network – Simple Cache Poison
� Result� Attack will be launched every time victim accesses the resource
� The attack would executed within the local intranet
� Characteristics� Firewall protections are helpless� Affected servers will never know� The attack is persistent
Web Based Man In the Middle Attack © 2009 IBM Corporation29
IBM Rational Application Security Group (aka Watchfire)
Setting Up a Future MitM Scenario
� Result� Facilitates future MitM scenarios
� Does not require router’s credentials� Fake settings could be displayed to the user
� Limitations� Requires victim to access router in the future� Need to guess router’s address (10.0.1.1)
Using Active MitM Techniques,
attacker poisons victim’s cache
Script hides the configuration changes
Web Based Man In the Middle Attack © 2009 IBM Corporation30
attacker poisons victim’s cacherelated to his router’s web access
Router
Victim’s router related cache poisoned with a malicious script
Malicious script executedwhen victim tries to access router Script configures router to tunnel
future communication through attacker
Outbound Proxy IP Address 216 187 118 221. . .
Primary DNS Server Address 216 187 118 221. . .
IBM Rational Application Security Group (aka Watchfire)
Increasing the Exposure
� Poison common home pages
– Script will execute every time victim opens his browser
� Poison common scripts
– Script will execute on every page using the common script.JS.JS
Web Based Man In the Middle Attack © 2009 IBM Corporation31
– Example: http://www.google-analytics.com/ga.js
� The “double active” attack
– Common poisoned page redirects to another poisoned resource
.JS.JS
IBM Rational Application Security Group (aka Watchfire)
The Double Active Cache Poisoning Attack
At a later time,
Victim opens browser
Cached home page is loaded and Cached home page is loaded and redirects victim’s browser to
Cached router’s web interface is loaded and malicious script
� Result� Internal network has been compromised
� Limitation� Need to guess router IP and credentials
Web Based Man In the Middle Attack © 2009 IBM Corporation32
Using Active MitM techniques,attacker poisons common router’s
address (i.e. 10.0.1.1)
Victim opens browserrouter’s web interfacechanges router’s settings
Attacker also poisons common home pages
Router
Router is compromised by malicious script
IBM Rational Application Security Group (aka Watchfire)
Active Attack Characteristics
– Not noticeable in user’s experience
– Not noticeable by any of the web sites
– IPS/IDS will not block it
– Can be persistent
– Can be used to hack into local organization
Web Based Man In the Middle Attack © 2009 IBM Corporation33
– Can be used to hack into local organization
– Bypasses any firewall or VPN
– Can be used to access non-HTTP servers
– Can be used with DNS Pinning Techniques
– A problem with the current design
– Requires only one plain HTTP request to be transmitted
IBM Rational Application Security Group (aka Watchfire)
Remediation
�Users–Do not use auto-completion
–“Clean Slate Policy”
–Trust level separation
Web Based Man In the Middle Attack © 2009 IBM Corporation34
–Two different browsers
–Two different users
–Two different OS
–Virtualization products
–Tunnel communication through a secure proxy
– Might not be allowed in many hot-spots
IBM Rational Application Security Group (aka Watchfire)
�Web owners–Consider risks of partial SSL sites
–Do not consider secure VPN connection as an SSL replacement
Web Based Man In the Middle Attack © 2009 IBM Corporation35
–Use random tokens for common scripts
– While considering performance issues
– Avoid referring external scripts from internal sites
IBM Rational Application Security Group (aka Watchfire)
� Industry–Build integrity mechanism for HTTP
–Secure WiFi networks
Web Based Man In the Middle Attack © 2009 IBM Corporation36
IBM Rational Application Security Group (aka Watchfire)
Summary
� Active MitM attacks– broaden the scope of the passive attacks
– Design issues
– Dimension of time
– Past (steal cookies, auto-completion information, cache)
– Future (set up cookies, poison cache, poison form filler)
– Penetrating internal networks
Web Based Man In the Middle Attack © 2009 IBM Corporation37
– Penetrating internal networks
– Persistent
– Bypass any current protection mechanisms
� More information:
– Paper and presentation will be uploaded to our blog:
http://blog.watchfire.com
IBM Rational Application Security Group (aka Watchfire)
References
� Additional information at the Watchfire’s Blog:
– http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html
� Wireless Man in the Middle Attacks:
– http://www.informit.com/articles/article.aspx?p=353735&seqNum=7
� Side Jacking:
– http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
Web Based Man In the Middle Attack © 2009 IBM Corporation38
– http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
� More on SideJacking:
– http://erratasec.blogspot.com/2008/01/more-sidejacking.html
� Surf Jacking:
– http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
� Stealing User Information:
– http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/
IBM Rational Application Security Group (aka Watchfire)
Thank you!
Web Based Man In the Middle Attack © 2009 IBM Corporation39
Thank you!