Download - Client sidesec 2013 - non js
![Page 1: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/1.jpg)
Web Client Side Security
Non Javascript LeakageTal Be’ery@Verint
2013
![Page 2: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/2.jpg)
SOP Threat Model
Com
mun
ica
tion
Custom Code
Acco
unts
Fina
nce
Adm
inis
trat
ion
Tran
sact
ion
s Know
ledg
e M
gmt
E- Com
mer
ceBu
s.
Func
tion
s
Victim Application
3Vulnerable site sees legitimate request from victim performs the action requestedAnd sends a response
Attacker sets the trap on some website on the internet
1
2 While logged into vulnerable site,victim views attacker site
Victim site interaction
Some interaction with victim site
![Page 3: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/3.jpg)
Working Around SOPO SOP usually allows the transaction, just
blocks Javascript access to response dataO CSRFO Eavesdropping
O Side channelsO User
O UI Redressing (“Clickjacking”)O Interactive attacks
O TimingO Pixel perfectO TIME
![Page 4: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/4.jpg)
The Confused Deputy Problem
O A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority
4
![Page 5: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/5.jpg)
Cross Site Request Forgery (CSRF)
• An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application
• Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request
Cross Site Request Forgery
• What if a hacker could steer your mouse and get you to click on links in your online banking application?
• What could they make you do?
Imagine…
• Initiate transactions (transfer funds, logout user, close account)• Access sensitive data• Change account details
Typical Impact
![Page 6: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/6.jpg)
CSRFO The Problem
O Web browsers automatically include most credentials with each request
O Requests can be invoked by malicious sites from victim’s browser without user consent
O Automatically Provided CredentialsO Session cookieO Basic authentication headerO IP addressO Client side SSL certificatesO Windows domain authentication
![Page 7: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/7.jpg)
CSRF Illustrated
3
Attacker sets the trap on some website on the internet(or simply via an e-mail)
1
Vulnerable site sees legitimate request from victim and performs the action requested
Custom Code
Acco
unts
Fina
nce
Adm
inis
trat
ion Tr
ansa
ctio
ns Co
mm
unic
atio
nKn
owle
dge
Mgm
tE-
Com
mer
ceBu
s.
Func
tion
s
Hidden <img> tag contains attack against vulnerable site
Application with CSRF vulnerability
2 While logged into vulnerable site,victim views attacker site
<img> tag loaded by browser – sends GET request (including credentials) to vulnerable site
![Page 8: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/8.jpg)
MitigationsO Add a secret, not automatically submitted, token to ALL sensitive requests
O Makes it impossible for the attacker to spoof the requestO Tokens should be cryptographically strong or random
O Block on victim server side, based on origin related headersO OriginO Referer
![Page 9: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/9.jpg)
CSRF in the News
http://www.scmagazine.com/google-fixes-flaw-in-gmail-password-reset-process/article/322343/
![Page 10: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/10.jpg)
Login CSRFO The attacker create a CSRF attack to
login the user to the attacker’s account
O Later on, the attacker is able to track the victim’s action in the attacker’s account
O E.g. log the victim to attacker’s controlled Google account to collect search history
![Page 11: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/11.jpg)
JSON HijackingO JavaScript Object Notation (JSON)O Data-interchange format
O Like XMLO But lightweight
O But also a valid Javascript!O Attacker can import it as script’s
source and steal the response data
![Page 12: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/12.jpg)
JSON Hijacking Demo
http://haacked.com/archive/2009/06/25/json-hijacking.aspx
![Page 13: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/13.jpg)
JSON Hijacking Mitigations
O Same as CSRFO Create an endless loop in the
beginning of a JSON response
O New browser versions are said not to be vulnerable
http://www.net-security.org/dl/articles/JavaScript_Hijacking.pdf
![Page 14: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/14.jpg)
Eavesdropping (MITM)
![Page 15: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/15.jpg)
RequestsO SOP does not address MITMO Requests and responses are allowed
to flowO Javascript does not have access to
the responseO But an eavesdropper does!
![Page 16: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/16.jpg)
NSA did it!
http://cdn.arstechnica.net/wp-content/uploads/2013/10/quantum-cookie-640x275.jpg
![Page 17: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/17.jpg)
MITM Solution: SSLO HTTP over SSL = HTTPSO Default port is 443O Server is authenticated: stops
masquerading attacksO Traffic is encrypted: stops
eavesdropping attacksO Traffic is signed: Stops traffic
injection attacks
![Page 18: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/18.jpg)
HTTPS in High Level
http://www.powersolution.com/wp-content/uploads/2013/04/SSL-flowchart.png
![Page 19: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/19.jpg)
Public Key Encryption
http://www.infosec.gov.hk/english/itpro/images/encryption_decryption.gif
![Page 20: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/20.jpg)
Public Key Signature
http://www.infosec.gov.hk/english/itpro/images/encryption_decryption.gif
![Page 21: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/21.jpg)
HTTPS in More Details
![Page 22: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/22.jpg)
PKI Chain of TrustO Public Key Infrastructure
![Page 23: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/23.jpg)
Chain of Trust Demo
![Page 24: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/24.jpg)
Attacks on SSLO Attacks on encryptionO Attack on user
O Self signed certificatesO SSLStrip
O Attacks on the PKIO Stealing certificatesO Lawful Interception: Rogue
certificates issued to the government
![Page 25: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/25.jpg)
SSL Encryption attacked
O Old ciphers aside, not very useful..O Lucky 13 – millions of packets
![Page 26: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/26.jpg)
Attacking the UserO Self signed certificateO SSL error messages are notorious for
in-usability
http://izquotes.com/quotes-pictures/quote-the-user-s-going-to-pick-dancing-pigs-over-security-every-time-bruce-schneier-164697.jpg
![Page 27: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/27.jpg)
Users Ignore SSL Errors
O Crying Wolf: An Empirical Study of SSL Warning Effectiveness, Carnegie Mellon University, 2009
![Page 28: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/28.jpg)
SSL StripO Pen-testing tool, Preseneted @
BlackHat 2009O Developed by Moxie Marlinspike
![Page 29: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/29.jpg)
SSL Strip ExplainedO The end users never type “https://”O Users either
O Follow a link that is httpsO Get redirected with 3XX HTTP redirect
O ProxyO Rewrite links to be HTTPO Rewrite redirections to be HTTP
O Proxy talks HTTP to victim, and HTTPS to server
https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
![Page 30: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/30.jpg)
Yahoo! Before SSL Strip
![Page 31: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/31.jpg)
Yahoo! After SSL Strip
![Page 32: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/32.jpg)
Mitigation with HSTSO HTTP Strict Transport
Security (HSTS)O Header that tells the browser to only
use SSL for this siteO If the connection is not over SSL the
browser blocks the user
http://c22blog.files.wordpress.com/2010/08/screen-shot-2010-08-27-at-11-34-46-pm.png
![Page 33: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/33.jpg)
Attacking PKICertificates Stealing
O Any CA can sign any siteO A site cannot state which is its CAO PKI is as strong as the weakest CA!O Black Tulip Operation: Iran allegedly
attacked DigiNotar CA to gain access to the private key, and create certificates to many sites
![Page 34: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/34.jpg)
Black Tulip Victim Users
http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html
![Page 35: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/35.jpg)
Black Tulip Victim Sites
http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html
![Page 36: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/36.jpg)
Attacking PKIRogue Certs Issued to Gov
![Page 37: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/37.jpg)
PKI alternativesO Many suggestionsO Nothing seems like a winnerO See “Qualitative Comparison of SSL
Validation Alternatives”, AppSec.Eu, 2013
O https://www.owasp.org/images/d/d4/A_Qualitative_Comparison_of_SSL_Validation_Alternatives_-_Henning_Perl%2BMichael_Brenner%2BMathew_Smith.pdf
![Page 38: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/38.jpg)
Mixed Content
![Page 39: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/39.jpg)
Mixed contentO Attacker can abuse mixed content
O To inject scripts in non secure resources
O Eavesdrop to cookies for non secure resources
O In order for cookie to be sent only over HTTPS, the “SECURE” attribute should be applied
![Page 40: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/40.jpg)
Human Side Channels
![Page 41: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/41.jpg)
PhishingO Visually similar pages
![Page 42: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/42.jpg)
PhishTank.com
![Page 43: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/43.jpg)
Frames O Include content from another URLO <iframe src="URL">O Frames adheres to SOP O cannot access each other data if not
from the same origin
![Page 44: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/44.jpg)
UI RedressingO AKA “ClickJacking”O A malicious technique of tricking a
Web user into clicking on something different from what the user perceives they are clicking on (Wikipedia)
O Another “confused deputy”O Usually achieved with Iframe
manipulation
![Page 45: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/45.jpg)
Opacity DemoO Cute penguins?O Yad2?
![Page 46: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/46.jpg)
Like Jacking Demo
http://coding.pressbin.com/files/86-clickjacking_demo.html
![Page 47: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/47.jpg)
Interactive attacksO Javascript from one frame is not
allowed to access other frame’s data on the same page
O But the frame can ask the user to do it!
![Page 48: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/48.jpg)
MitigationsO Frame busting code
O if (top != self) { top.location.replace(self.location.href); }
O X-Frame-Options headerO Allows the site to control the framing
of its resources
![Page 49: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/49.jpg)
CSS History BugO Visited links look
differentO Javascript can query
style with getComputedStyle()
O Malicious Javascript can guess links, and query style to retrieve history!
O Solution: getComputedStyle() lies about visited links
![Page 50: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/50.jpg)
Interactive Attacks Demo
![Page 51: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/51.jpg)
Technical Side Channels
![Page 52: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/52.jpg)
Side ChannelsO Javascript cannot directly access
data from another domainO But it has some side channel data:
O How much time it took the resources to load (with event handlers – onload, onready)
O Was the resource loaded successfullyO The dimensions of the resource
O Side channels may leak data!
![Page 53: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/53.jpg)
Login StatusO Try to load image behind
authenticationO Will fail if user is not authenticatedO Will be detected by javascript with
onerror() handler
![Page 54: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/54.jpg)
Login Status Demo
http://www.tomanthony.co.uk/tools/detect-social-network-logins/
![Page 55: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/55.jpg)
Pixel Perfect Attack (1)O “Pixel Perfect Timing Attacks with
HTML5“ O Presented @ BlackHat 2013O CSS history bug again!O Add a performance hog effect to
visited linksO Redrawing visited links takes timeO In javascript, guess a link and
measure time
![Page 56: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/56.jpg)
Pixel Perfect Attack (2)O Guess a pixel in an Iframe:
O Apply grayscale filterO Enlarge Iframe contents with CSS
transforms so filter works on single pixel
O Apply a certain filter that has different timing for black and white
O Measure time to determine if its black or white
O Repeat until all pixels are discovered
![Page 57: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/57.jpg)
Pixel Perfect Attack (3)
![Page 58: Client sidesec 2013 - non js](https://reader037.vdocuments.mx/reader037/viewer/2022103105/58e7aa441a28ab847a8b5f25/html5/thumbnails/58.jpg)
TIME attackO Presented @ BlackHat 2013O Compression + Timing side channels