Upload
mvcooley
View
1.766
Download
0
Tags:
Embed Size (px)
DESCRIPTION
In this presentation from Triangle Infosecon 2011, we discuss common web application vulnerabilities which could be leveraged for social engineering attacks.
Citation preview
Web Application Social Engineering Vulnerabilities
Matt CooleyLead Security Advisory AnalystSymantec Security Strategy & Advisory Services
Web Application Social Engineering Vulnerabilities
Agenda
2
Overview1
Homograph Attacks2
Web Application Vulnerabilities3
Demonstration4
Web Application Social Engineering Vulnerabilities 3
Presentation Overview• This presentation will demonstrate some attacks that can be
used to target users and administrators of web applications.
• You will learn techniques attackers use to steal money and sensitive data while going undetected.
Web Application Social Engineering Vulnerabilities 4
Domain Spoofing
Homograph Attacks
Web Application Social Engineering Vulnerabilities 5
Domain Name Spoofing• Wait, that’s not a web application vulnerability• No, but it’s a tool in our toolbox which we will use to make our
attacks more convincing
Web Application Social Engineering Vulnerabilities 6
Internationalized Domain Names (IDN)
http:// إختبار. مثال
http://例子 .测试http://παράδειγμα.δοκιμή
http://пример.испытание
http:// טעסט. יל בַײשּפ�
Web Application Social Engineering Vulnerabilities 7
The problem is, this is also an Internationalized Domain Name:
miсrоsоft.com
This is not:
microsoft.com
Web Application Social Engineering Vulnerabilities 8
When Homographs Attack
Web Application Social Engineering Vulnerabilities 9
Homograph Attacks – A Brief History
2002 – Paper by Gabrilovich and Gontmakher• Revealed that it was possible to register a domain containing
non-Latin characters which would appear indistinguishable from a legitimate domain name.
microsoft.com (authentic)
miсrоsоft.com (Russian letters ‘c’ and ‘o’)• с = Unicode Character 'CYRILLIC SMALL LETTER ES' (U+0441)• о = Unicode Character 'CYRILLIC SMALL LETTER O' (U+043E)
http://www.cs.technion.ac.il/~gabr/papers/homograph.html
Web Application Social Engineering Vulnerabilities 10
Web Browsers Were Fixed.. Kinda
2005 – Shmoo Group revisits homograph attacks• Found that homograph attack prevention in browsers was
applied inconsistently and spoofing issues could be exploited in Firefox, Safari, and Opera
www.paypal.com (the real site)• a = Unicode Character 'LATIN SMALL LETTER A' (U+0061)
www.pаypal.com (Shmoo’s site)• а = Unicode Character 'CYRILLIC SMALL LETTER A' (U+0430)
http://www.shmoo.com/idn/homograph.txt
Web Application Social Engineering Vulnerabilities 11
Still not fixed
2009 – Chris Weber discloses IDN spoofing issue with Safari
https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdfhttp://support.apple.com/kb/ht3733
Web Application Social Engineering Vulnerabilities 12
Today• All popular browsers implement their own policies for how
IDN’s should be displayed in the address bar• If a Unicode IDN doesn’t pass the browser’s policy for display, it
will be displayed in Punycode – should raise suspicion• Safari and mobile Safari have more permissive rules than
Chrome, Firefox, Internet Explorer
http://www.idnnews.com/?p=8760
Web Application Social Engineering Vulnerabilities 13
Chrome 14.0 Windows
Firefox 7.0 Windows
Internet Explorer 9.0 Windows
Safari 5.1 Windows
Safari 5.0.2 iPhone
Android 2.2
Opera Mini 6.0 iPhone
These are all the same domain
Web Application Social Engineering Vulnerabilities 14
Safari’s IDN Handling Policy• There is a white list file containing permitted IDN character sets.
It is up to the user to maintain the list• /System/Library/Frameworks/WebKit.framework/Versions/A/
Resources/IDNScriptWhiteList.txt• C:\Program Files\Safari\Safari.resources\IDNScriptWhiteList.txt
http://support.apple.com/kb/TA22996
Web Application Social Engineering Vulnerabilities 15
Safari’s White List# Default Web Kit International Domain Name Script White List.
CommonInherited
ArabicArmenianBopomofoCanadian_AboriginalDevanagariDeseretGujaratiGurmukhiHangulHanHebrewHiraganaKatakana_Or_HiraganaKatakanaLatinTamilThaiYi
Web Application Social Engineering Vulnerabilities 16
Safari has the Weakest IDN Spoofing Protection Policy• So let’s attack Safari
Web Application Social Engineering Vulnerabilities 17
My first attempt
• sỵmantec.com• xn--smantec-h64c.com (Punycode)• ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT BELOW”
Web Application Social Engineering Vulnerabilities 18
Somewhat Convincing Spoof in both Punycode and Native Character Formats
• xn--microsoft-msft.com (Punycode)• micr s ft.como̦� o̦�• Instead of gibberish in the Punycode format, the text “msft” is used (stock
symbol for Microsoft)• If the victim opens the URL in a browser that shows Punycode, they will see
this:
• Otherwise, they will see this:
Web Application Social Engineering Vulnerabilities 19
Hmm.. This is interesting
• sykmantec.com• xn--symantec-rcf.com (Punycode)• Unicode 0x0332 “COMBINING LOW LINE”• Safari in Windows 7 - Underline doesn’t display:
Achievement unlocked!
Web Application Social Engineering Vulnerabilities 20
A fix?
Removing “Latin” from the Safari IDN white list causes this:
To become this:
Web Application Social Engineering Vulnerabilities 21
IDN Spoofing on iOS Devices
The following Unicode characters are not displayable on iOS devices, but can be registered within an IDN:
夆 U+5906
悞 U+609E
暵 U+66B5
煒 U+7152
譿 U+8B7F
驊 U+9A4A
Bonus: They are allowed by Safari’s default white list (Han)
Web Application Social Engineering Vulnerabilities 22
iOS IDN Spoofing Proof of Concept• www.apple夆 .com• www.xn--apple-c94i.com (Punycode)
Opera Mini:
Mobile Safari:
Web Application Social Engineering Vulnerabilities 23
Another Neat Trick.. Dot.. Dot.. Dot..• So I was at a restaurant and scanned the QR code on a bottle of
ketchup with an iPhone.
Web Application Social Engineering Vulnerabilities 24
We can register one domain and spoof everything!• 夆 . 夆 . 夆 . 夆 .夆夆 .com• xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com• www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--
rrs.xn--rrsa.com
Web Application Social Engineering Vulnerabilities 25
iOS Fix?• Apple provides a mechanism for preventing native IDN display
with undesirable character sets• So let’s just remove “Han” from the white list file… oh wait
Web Application Social Engineering Vulnerabilities 26
QR Codes
Let me show you my QR codes
Web Application Social Engineering Vulnerabilities 27
Web Application Social Engineering Vulnerabilities 28
Combining Homograph Attack with QR Codes• Replace legit QR code with malicious QR code• Victim scans malicious QR code and browser is redirected to
attacker’s URL• Attacker’s server examines user agent header• If it is not a vulnerable device, forward them to a legitimate site• Otherwise, spoof the domain and capture info (PROFIT!!!)
Web Application Social Engineering Vulnerabilities 29
american.xn--redcross-vr0o.comamerican.redcross夆 .com
Web Application Social Engineering Vulnerabilities 30
Web Application Vulnerabilities
Arbitrary URL Redirection
Web Application Social Engineering Vulnerabilities 31
Arbitrary URL Redirection• A common web application vulnerability which can be used to
coerce victims into clicking a malicious link• http://<target site>/redirect?url=http://<attacker’s site>• Because the host name in the URI is legitimate, it should pass
the trust test• OWASP refers to this vulnerability as “Open redirect”• The difficulty in using this as an exploit is in hiding the true
nature of the URL: that it’s directing you to somewhere bad
https://www.owasp.org/index.php/Open_redirect
Web Application Social Engineering Vulnerabilities 32
URL Redirection with Percent Encoding Obfuscation
Before:• http://ourcompany.com/wordpress/wp-login.php?
redirect_to=http://evilhost.com
After:• http://ourcompany.com/wordpress/wp-login.php?
%72%65%64%69%72%65%63%74%5F%74%6F=%68%74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E%63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Administrator
Web Application Social Engineering Vulnerabilities 33
URL Redirection with IDN Spoofing• http://ourcompany.com/wordpress/wp-login.php?
redirect_to=http://ourcompanỵ.com/wordpress/main
Or if targeting iPhone readers:• http://ourcompany.com/wordpress/wp-login.php?
redirect_to=http://ourcompany.com.xn--ourcompany-wr7r.com/wordpress/main
(xn--ourcompany-wr7r.com = ourcompany夆 .com)
Web Application Social Engineering Vulnerabilities 34
URL Redirection Triple Threat• http://ourcompany.com/wordpress/wp-login.php?redirect_to=http://ourcompany.com〳 error-%61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encoding_Error
• This is the redirection target:• http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany-
wr7r.com/• Use TinyURL to wrap it all up into a nice gift
Web Application Social Engineering Vulnerabilities 35
Web Application Vulnerabilities
Cross-Site Scripting
Web Application Social Engineering Vulnerabilities 36
Cross-Site Scripting (XSS)
Web Application Social Engineering Vulnerabilities 37
Cross-Site Scripting Attack Vectors
Old School:• Capture session identifiers to hijack session
Middle School:• Capture keystrokes to steal valid credentials and sensitive
information
Cool School:• Compromise a fully patched and secured host
Web Application Social Engineering Vulnerabilities 38
BeEF Demonstration• Leverage cross-site scripting to log keystrokes on an iPhone
Web Application Social Engineering Vulnerabilities 39
BeEF Details• Included in BackTrack• Works best when used with a persistent cross-site scripting
vulnerability• BeEF is a good resource to demonstrate bad things you can do
with JavaScript• Useful as a proof of concept tool
Web Application Social Engineering Vulnerabilities 40
Social Engineering Toolkit
Web Application Social Engineering Vulnerabilities 41
Social Engineering Toolkit (SET)• One of the best ways to remotely compromise a fully patched,
fully protected host• The Java Applet web attack vector will get through just about
anything• Setup a SET listener on external host• Send victim a URL redirect / put link on twitter or Facebook• Use with XSS
Web Application Social Engineering Vulnerabilities 42
Mega Demo• Leveraging everything we’ve learned• Persistent XSS redirects user to Wordpress login – steals
credentials with keystroke logger• Wordpress site then redirects to SET Java applet page• SET host has an IDN hostname• Windows 7 host is compromised
Web Application Social Engineering Vulnerabilities 43
Tools Used
Thank you!
Web Application Social Engineering Vulnerabilities 44
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
http://www.symantec.com/connect/symantec-blogs/the-security-advisor