Académique Documents
Professionnel Documents
Culture Documents
Adi Sharabani
Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire)
OWASP
adish
http://www.owasp.org
Agenda
Background
Man in the Middle Network level heavily researched Web application level sporadic research
Outline
Passive MitM attacks Active MitM attacks Penetrating an internal network Remediation
Internet
Internet
Non-sensitive sites
Boring
Sensitive sites
Interesting
5 Web Based Man In the Middle Attack 2009 IBM Corporation
Reality
Same origin policy Executing an attack JavaScript + browser implementation bug JavaScript + execution on a specific domain Can be done through XSS
My Weather Channel
Other servers are not affected
My Bank Site
10
Stealing Cookies*
Obvious result
Stealing cookies associated with any domain attacker desires Will also work for HTTP ONLY cookies (as opposed to XSS attacks)
Demo
12
Limitations
Will only work for non SSL web sites Attacker injects an IFRAME Victim surfs to a directing to an interesting site boring site Script executes with the interesting servers restrictions Attacker forwards the automatic request to the interesting server
Automatic request sent to Attacker adds a malicious script the interesting server to the response
13
Secure Connections
Login Mechanism
14
Victim fills login Secure Connectionsand submits thedetails, Login Successful Please Login form
Username jsmith
Pre-login action sent in clear text Attacker could alter the pre-login response to make the login request sent unencrypted
Victim browses to site http://www.webmail.site
Login request is sent through a secure channel Site returns a response with login form
15
Limitations
Will only work for pre-login pages not encrypted Will not work seamlessly in IE Attacker returns redirect victim to a Attacker the original login form together with aamalicious script request to pre-login page Script accesses the auto-completion information using the DOM
Demo
17
18
Past
(interesting sites)
Present
(boring sites)
Future
(interesting sites)
19
Session Fixation
A while later, victim connects to the site (with the pre-provided cookie)
Result
Attacker can set persistent cookies on victim
Limitations
Server authenticates The vulnerability also as victim the server attacker lies within
AttackerAttackera page with a returns redirects victim cookie generated by server to the site of interest Cookie is being saved on victims computer
20
Cache Poisoning
Result
Attacker can poison any page she desires Poisoned pages will be persistent
Limitations
Attacker can poison non SSL resources A while later, victim visits the site
Attacker redirects victim Attacker returns a malicious page to the site of interest with cache setting enabled
21
Demo
22
Complex Hacking
Virtual Private Networks
23
24
Limitations
Such mixed content is not widely used Attacker alters the nonencrypted script
25
26
Result
27
Complex Hacking
Intranet Networks
28
Characteristics
Firewall protections are helpless Affected servers will never know The attack is persistent
29
Limitations
Script hides the configuration changes Requires victim to access router in the future Need to guess routers address (10.0.1.1) Using Active MitM Techniques, attacker poisons victims cache Malicious script executedrelated to his routers web access Script configures router to tunnel when victim tries to access router future communication through attacker
Router
Proxy IP Address
30
31
Limitation
Need to guess router IP and credentials
Cached routers web interface is and Cached time, At a later home page is loaded loaded and maliciousbrowser to redirects victims script Victim opens browser changes routers settings routers web interface Using Active MitM techniques, attacker poisons common routers address (i.e. 10.0.1.1)
Router
Attacker also poisons common home Router is compromised by pages malicious script
32
33
Remediation Users
Do not use auto-completion Clean Slate Policy Trust level separation Two different browsers Two different users Two different OS Virtualization products Tunnel communication through a secure proxy
Might not be allowed in many hot-spots
34
Web owners
Consider risks of partial SSL sites Do not consider secure VPN connection as an SSL replacement Use random tokens for common scripts
While considering performance issues Avoid referring external scripts from internal sites
35
Industry
Build integrity mechanism for HTTP Secure WiFi networks
36
Summary
Active MitM attacks broaden the scope of the passive attacks
Design issues Dimension of time Past (steal cookies, auto-completion information, cache) Future (set up cookies, poison cache, poison form filler) Penetrating internal networks Persistent Bypass any current protection mechanisms
More information:
Paper and presentation will be uploaded to our blog: http://blog.watchfire.com
37
References
Additional information at the Watchfires Blog:
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html
Side Jacking:
http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
More on SideJacking:
http://erratasec.blogspot.com/2008/01/more-sidejacking.html
Surf Jacking:
http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
38
Thank you!
39