client sidesec 2013 - non js
TRANSCRIPT
Web Client Side Security
Non Javascript LeakageTal Be’ery@Verint
2013
SOP Threat Model
Com
mun
ica
tion
Custom Code
Acco
unts
Fina
nce
Adm
inis
trat
ion
Tran
sact
ion
s Know
ledg
e M
gmt
E- Com
mer
ceBu
s.
Func
tion
s
Victim Application
3Vulnerable site sees legitimate request from victim performs the action requestedAnd sends a response
Attacker sets the trap on some website on the internet
1
2 While logged into vulnerable site,victim views attacker site
Victim site interaction
Some interaction with victim site
Working Around SOPO SOP usually allows the transaction, just
blocks Javascript access to response dataO CSRFO Eavesdropping
O Side channelsO User
O UI Redressing (“Clickjacking”)O Interactive attacks
O TimingO Pixel perfectO TIME
The Confused Deputy Problem
O A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority
4
Cross Site Request Forgery (CSRF)
• An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application
• Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request
Cross Site Request Forgery
• What if a hacker could steer your mouse and get you to click on links in your online banking application?
• What could they make you do?
Imagine…
• Initiate transactions (transfer funds, logout user, close account)• Access sensitive data• Change account details
Typical Impact
CSRFO The Problem
O Web browsers automatically include most credentials with each request
O Requests can be invoked by malicious sites from victim’s browser without user consent
O Automatically Provided CredentialsO Session cookieO Basic authentication headerO IP addressO Client side SSL certificatesO Windows domain authentication
CSRF Illustrated
3
Attacker sets the trap on some website on the internet(or simply via an e-mail)
1
Vulnerable site sees legitimate request from victim and performs the action requested
Custom Code
Acco
unts
Fina
nce
Adm
inis
trat
ion Tr
ansa
ctio
ns Co
mm
unic
atio
nKn
owle
dge
Mgm
tE-
Com
mer
ceBu
s.
Func
tion
s
Hidden <img> tag contains attack against vulnerable site
Application with CSRF vulnerability
2 While logged into vulnerable site,victim views attacker site
<img> tag loaded by browser – sends GET request (including credentials) to vulnerable site
MitigationsO Add a secret, not automatically submitted, token to ALL sensitive requests
O Makes it impossible for the attacker to spoof the requestO Tokens should be cryptographically strong or random
O Block on victim server side, based on origin related headersO OriginO Referer
CSRF in the News
http://www.scmagazine.com/google-fixes-flaw-in-gmail-password-reset-process/article/322343/
Login CSRFO The attacker create a CSRF attack to
login the user to the attacker’s account
O Later on, the attacker is able to track the victim’s action in the attacker’s account
O E.g. log the victim to attacker’s controlled Google account to collect search history
JSON HijackingO JavaScript Object Notation (JSON)O Data-interchange format
O Like XMLO But lightweight
O But also a valid Javascript!O Attacker can import it as script’s
source and steal the response data
JSON Hijacking Demo
http://haacked.com/archive/2009/06/25/json-hijacking.aspx
JSON Hijacking Mitigations
O Same as CSRFO Create an endless loop in the
beginning of a JSON response
O New browser versions are said not to be vulnerable
http://www.net-security.org/dl/articles/JavaScript_Hijacking.pdf
Eavesdropping (MITM)
RequestsO SOP does not address MITMO Requests and responses are allowed
to flowO Javascript does not have access to
the responseO But an eavesdropper does!
NSA did it!
http://cdn.arstechnica.net/wp-content/uploads/2013/10/quantum-cookie-640x275.jpg
MITM Solution: SSLO HTTP over SSL = HTTPSO Default port is 443O Server is authenticated: stops
masquerading attacksO Traffic is encrypted: stops
eavesdropping attacksO Traffic is signed: Stops traffic
injection attacks
HTTPS in High Level
http://www.powersolution.com/wp-content/uploads/2013/04/SSL-flowchart.png
Public Key Encryption
http://www.infosec.gov.hk/english/itpro/images/encryption_decryption.gif
Public Key Signature
http://www.infosec.gov.hk/english/itpro/images/encryption_decryption.gif
HTTPS in More Details
PKI Chain of TrustO Public Key Infrastructure
Chain of Trust Demo
Attacks on SSLO Attacks on encryptionO Attack on user
O Self signed certificatesO SSLStrip
O Attacks on the PKIO Stealing certificatesO Lawful Interception: Rogue
certificates issued to the government
SSL Encryption attacked
O Old ciphers aside, not very useful..O Lucky 13 – millions of packets
Attacking the UserO Self signed certificateO SSL error messages are notorious for
in-usability
http://izquotes.com/quotes-pictures/quote-the-user-s-going-to-pick-dancing-pigs-over-security-every-time-bruce-schneier-164697.jpg
Users Ignore SSL Errors
O Crying Wolf: An Empirical Study of SSL Warning Effectiveness, Carnegie Mellon University, 2009
SSL StripO Pen-testing tool, Preseneted @
BlackHat 2009O Developed by Moxie Marlinspike
SSL Strip ExplainedO The end users never type “https://”O Users either
O Follow a link that is httpsO Get redirected with 3XX HTTP redirect
O ProxyO Rewrite links to be HTTPO Rewrite redirections to be HTTP
O Proxy talks HTTP to victim, and HTTPS to server
https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
Yahoo! Before SSL Strip
Yahoo! After SSL Strip
Mitigation with HSTSO HTTP Strict Transport
Security (HSTS)O Header that tells the browser to only
use SSL for this siteO If the connection is not over SSL the
browser blocks the user
http://c22blog.files.wordpress.com/2010/08/screen-shot-2010-08-27-at-11-34-46-pm.png
Attacking PKICertificates Stealing
O Any CA can sign any siteO A site cannot state which is its CAO PKI is as strong as the weakest CA!O Black Tulip Operation: Iran allegedly
attacked DigiNotar CA to gain access to the private key, and create certificates to many sites
Black Tulip Victim Users
http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html
Black Tulip Victim Sites
http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html
Attacking PKIRogue Certs Issued to Gov
PKI alternativesO Many suggestionsO Nothing seems like a winnerO See “Qualitative Comparison of SSL
Validation Alternatives”, AppSec.Eu, 2013
O https://www.owasp.org/images/d/d4/A_Qualitative_Comparison_of_SSL_Validation_Alternatives_-_Henning_Perl%2BMichael_Brenner%2BMathew_Smith.pdf
Mixed Content
Mixed contentO Attacker can abuse mixed content
O To inject scripts in non secure resources
O Eavesdrop to cookies for non secure resources
O In order for cookie to be sent only over HTTPS, the “SECURE” attribute should be applied
Human Side Channels
PhishingO Visually similar pages
PhishTank.com
Frames O Include content from another URLO <iframe src="URL">O Frames adheres to SOP O cannot access each other data if not
from the same origin
UI RedressingO AKA “ClickJacking”O A malicious technique of tricking a
Web user into clicking on something different from what the user perceives they are clicking on (Wikipedia)
O Another “confused deputy”O Usually achieved with Iframe
manipulation
Opacity DemoO Cute penguins?O Yad2?
Like Jacking Demo
http://coding.pressbin.com/files/86-clickjacking_demo.html
Interactive attacksO Javascript from one frame is not
allowed to access other frame’s data on the same page
O But the frame can ask the user to do it!
MitigationsO Frame busting code
O if (top != self) { top.location.replace(self.location.href); }
O X-Frame-Options headerO Allows the site to control the framing
of its resources
CSS History BugO Visited links look
differentO Javascript can query
style with getComputedStyle()
O Malicious Javascript can guess links, and query style to retrieve history!
O Solution: getComputedStyle() lies about visited links
Interactive Attacks Demo
Technical Side Channels
Side ChannelsO Javascript cannot directly access
data from another domainO But it has some side channel data:
O How much time it took the resources to load (with event handlers – onload, onready)
O Was the resource loaded successfullyO The dimensions of the resource
O Side channels may leak data!
Login StatusO Try to load image behind
authenticationO Will fail if user is not authenticatedO Will be detected by javascript with
onerror() handler
Login Status Demo
http://www.tomanthony.co.uk/tools/detect-social-network-logins/
Pixel Perfect Attack (1)O “Pixel Perfect Timing Attacks with
HTML5“ O Presented @ BlackHat 2013O CSS history bug again!O Add a performance hog effect to
visited linksO Redrawing visited links takes timeO In javascript, guess a link and
measure time
Pixel Perfect Attack (2)O Guess a pixel in an Iframe:
O Apply grayscale filterO Enlarge Iframe contents with CSS
transforms so filter works on single pixel
O Apply a certain filter that has different timing for black and white
O Measure time to determine if its black or white
O Repeat until all pixels are discovered
Pixel Perfect Attack (3)
TIME attackO Presented @ BlackHat 2013O Compression + Timing side channels