web application social engineering vulnerabilities
DESCRIPTION
In this presentation from Triangle Infosecon 2011, we discuss common web application vulnerabilities which could be leveraged for social engineering attacks.TRANSCRIPT
![Page 1: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/1.jpg)
Web Application Social Engineering Vulnerabilities
Matt CooleyLead Security Advisory AnalystSymantec Security Strategy & Advisory Services
![Page 2: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/2.jpg)
Web Application Social Engineering Vulnerabilities
Agenda
2
Overview1
Homograph Attacks2
Web Application Vulnerabilities3
Demonstration4
![Page 3: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/3.jpg)
Web Application Social Engineering Vulnerabilities 3
Presentation Overview• This presentation will demonstrate some attacks that can be
used to target users and administrators of web applications.
• You will learn techniques attackers use to steal money and sensitive data while going undetected.
![Page 4: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/4.jpg)
Web Application Social Engineering Vulnerabilities 4
Domain Spoofing
Homograph Attacks
![Page 5: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/5.jpg)
Web Application Social Engineering Vulnerabilities 5
Domain Name Spoofing• Wait, that’s not a web application vulnerability• No, but it’s a tool in our toolbox which we will use to make our
attacks more convincing
![Page 6: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/6.jpg)
Web Application Social Engineering Vulnerabilities 6
Internationalized Domain Names (IDN)
http:// إختبار. مثال
http://例子 .测试http://παράδειγμα.δοκιμή
http://пример.испытание
http:// טעסט. יל בַײשּפ�
![Page 7: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/7.jpg)
Web Application Social Engineering Vulnerabilities 7
The problem is, this is also an Internationalized Domain Name:
miсrоsоft.com
This is not:
microsoft.com
![Page 8: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/8.jpg)
Web Application Social Engineering Vulnerabilities 8
When Homographs Attack
![Page 9: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/9.jpg)
Web Application Social Engineering Vulnerabilities 9
Homograph Attacks – A Brief History
2002 – Paper by Gabrilovich and Gontmakher• Revealed that it was possible to register a domain containing
non-Latin characters which would appear indistinguishable from a legitimate domain name.
microsoft.com (authentic)
miсrоsоft.com (Russian letters ‘c’ and ‘o’)• с = Unicode Character 'CYRILLIC SMALL LETTER ES' (U+0441)• о = Unicode Character 'CYRILLIC SMALL LETTER O' (U+043E)
http://www.cs.technion.ac.il/~gabr/papers/homograph.html
![Page 10: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/10.jpg)
Web Application Social Engineering Vulnerabilities 10
Web Browsers Were Fixed.. Kinda
2005 – Shmoo Group revisits homograph attacks• Found that homograph attack prevention in browsers was
applied inconsistently and spoofing issues could be exploited in Firefox, Safari, and Opera
www.paypal.com (the real site)• a = Unicode Character 'LATIN SMALL LETTER A' (U+0061)
www.pаypal.com (Shmoo’s site)• а = Unicode Character 'CYRILLIC SMALL LETTER A' (U+0430)
http://www.shmoo.com/idn/homograph.txt
![Page 11: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/11.jpg)
Web Application Social Engineering Vulnerabilities 11
Still not fixed
2009 – Chris Weber discloses IDN spoofing issue with Safari
https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdfhttp://support.apple.com/kb/ht3733
![Page 12: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/12.jpg)
Web Application Social Engineering Vulnerabilities 12
Today• All popular browsers implement their own policies for how
IDN’s should be displayed in the address bar• If a Unicode IDN doesn’t pass the browser’s policy for display, it
will be displayed in Punycode – should raise suspicion• Safari and mobile Safari have more permissive rules than
Chrome, Firefox, Internet Explorer
http://www.idnnews.com/?p=8760
![Page 13: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/13.jpg)
Web Application Social Engineering Vulnerabilities 13
Chrome 14.0 Windows
Firefox 7.0 Windows
Internet Explorer 9.0 Windows
Safari 5.1 Windows
Safari 5.0.2 iPhone
Android 2.2
Opera Mini 6.0 iPhone
These are all the same domain
![Page 14: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/14.jpg)
Web Application Social Engineering Vulnerabilities 14
Safari’s IDN Handling Policy• There is a white list file containing permitted IDN character sets.
It is up to the user to maintain the list• /System/Library/Frameworks/WebKit.framework/Versions/A/
Resources/IDNScriptWhiteList.txt• C:\Program Files\Safari\Safari.resources\IDNScriptWhiteList.txt
http://support.apple.com/kb/TA22996
![Page 15: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/15.jpg)
Web Application Social Engineering Vulnerabilities 15
Safari’s White List# Default Web Kit International Domain Name Script White List.
CommonInherited
ArabicArmenianBopomofoCanadian_AboriginalDevanagariDeseretGujaratiGurmukhiHangulHanHebrewHiraganaKatakana_Or_HiraganaKatakanaLatinTamilThaiYi
![Page 16: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/16.jpg)
Web Application Social Engineering Vulnerabilities 16
Safari has the Weakest IDN Spoofing Protection Policy• So let’s attack Safari
![Page 17: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/17.jpg)
Web Application Social Engineering Vulnerabilities 17
My first attempt
• sỵmantec.com• xn--smantec-h64c.com (Punycode)• ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT BELOW”
![Page 18: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/18.jpg)
Web Application Social Engineering Vulnerabilities 18
Somewhat Convincing Spoof in both Punycode and Native Character Formats
• xn--microsoft-msft.com (Punycode)• micr s ft.como̦� o̦�• Instead of gibberish in the Punycode format, the text “msft” is used (stock
symbol for Microsoft)• If the victim opens the URL in a browser that shows Punycode, they will see
this:
• Otherwise, they will see this:
![Page 19: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/19.jpg)
Web Application Social Engineering Vulnerabilities 19
Hmm.. This is interesting
• sykmantec.com• xn--symantec-rcf.com (Punycode)• Unicode 0x0332 “COMBINING LOW LINE”• Safari in Windows 7 - Underline doesn’t display:
Achievement unlocked!
![Page 20: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/20.jpg)
Web Application Social Engineering Vulnerabilities 20
A fix?
Removing “Latin” from the Safari IDN white list causes this:
To become this:
![Page 21: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/21.jpg)
Web Application Social Engineering Vulnerabilities 21
IDN Spoofing on iOS Devices
The following Unicode characters are not displayable on iOS devices, but can be registered within an IDN:
夆 U+5906
悞 U+609E
暵 U+66B5
煒 U+7152
譿 U+8B7F
驊 U+9A4A
Bonus: They are allowed by Safari’s default white list (Han)
![Page 22: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/22.jpg)
Web Application Social Engineering Vulnerabilities 22
iOS IDN Spoofing Proof of Concept• www.apple夆 .com• www.xn--apple-c94i.com (Punycode)
Opera Mini:
Mobile Safari:
![Page 23: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/23.jpg)
Web Application Social Engineering Vulnerabilities 23
Another Neat Trick.. Dot.. Dot.. Dot..• So I was at a restaurant and scanned the QR code on a bottle of
ketchup with an iPhone.
![Page 24: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/24.jpg)
Web Application Social Engineering Vulnerabilities 24
We can register one domain and spoof everything!• 夆 . 夆 . 夆 . 夆 .夆夆 .com• xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com• www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--
rrs.xn--rrsa.com
![Page 25: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/25.jpg)
Web Application Social Engineering Vulnerabilities 25
iOS Fix?• Apple provides a mechanism for preventing native IDN display
with undesirable character sets• So let’s just remove “Han” from the white list file… oh wait
![Page 26: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/26.jpg)
Web Application Social Engineering Vulnerabilities 26
QR Codes
Let me show you my QR codes
![Page 27: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/27.jpg)
Web Application Social Engineering Vulnerabilities 27
![Page 28: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/28.jpg)
Web Application Social Engineering Vulnerabilities 28
Combining Homograph Attack with QR Codes• Replace legit QR code with malicious QR code• Victim scans malicious QR code and browser is redirected to
attacker’s URL• Attacker’s server examines user agent header• If it is not a vulnerable device, forward them to a legitimate site• Otherwise, spoof the domain and capture info (PROFIT!!!)
![Page 29: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/29.jpg)
Web Application Social Engineering Vulnerabilities 29
american.xn--redcross-vr0o.comamerican.redcross夆 .com
![Page 30: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/30.jpg)
Web Application Social Engineering Vulnerabilities 30
Web Application Vulnerabilities
Arbitrary URL Redirection
![Page 31: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/31.jpg)
Web Application Social Engineering Vulnerabilities 31
Arbitrary URL Redirection• A common web application vulnerability which can be used to
coerce victims into clicking a malicious link• http://<target site>/redirect?url=http://<attacker’s site>• Because the host name in the URI is legitimate, it should pass
the trust test• OWASP refers to this vulnerability as “Open redirect”• The difficulty in using this as an exploit is in hiding the true
nature of the URL: that it’s directing you to somewhere bad
https://www.owasp.org/index.php/Open_redirect
![Page 32: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/32.jpg)
Web Application Social Engineering Vulnerabilities 32
URL Redirection with Percent Encoding Obfuscation
Before:• http://ourcompany.com/wordpress/wp-login.php?
redirect_to=http://evilhost.com
After:• http://ourcompany.com/wordpress/wp-login.php?
%72%65%64%69%72%65%63%74%5F%74%6F=%68%74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E%63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Administrator
![Page 33: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/33.jpg)
Web Application Social Engineering Vulnerabilities 33
URL Redirection with IDN Spoofing• http://ourcompany.com/wordpress/wp-login.php?
redirect_to=http://ourcompanỵ.com/wordpress/main
Or if targeting iPhone readers:• http://ourcompany.com/wordpress/wp-login.php?
redirect_to=http://ourcompany.com.xn--ourcompany-wr7r.com/wordpress/main
(xn--ourcompany-wr7r.com = ourcompany夆 .com)
![Page 34: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/34.jpg)
Web Application Social Engineering Vulnerabilities 34
URL Redirection Triple Threat• http://ourcompany.com/wordpress/wp-login.php?redirect_to=http://ourcompany.com〳 error-%61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encoding_Error
• This is the redirection target:• http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany-
wr7r.com/• Use TinyURL to wrap it all up into a nice gift
![Page 35: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/35.jpg)
Web Application Social Engineering Vulnerabilities 35
Web Application Vulnerabilities
Cross-Site Scripting
![Page 36: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/36.jpg)
Web Application Social Engineering Vulnerabilities 36
Cross-Site Scripting (XSS)
![Page 37: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/37.jpg)
Web Application Social Engineering Vulnerabilities 37
Cross-Site Scripting Attack Vectors
Old School:• Capture session identifiers to hijack session
Middle School:• Capture keystrokes to steal valid credentials and sensitive
information
Cool School:• Compromise a fully patched and secured host
![Page 38: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/38.jpg)
Web Application Social Engineering Vulnerabilities 38
BeEF Demonstration• Leverage cross-site scripting to log keystrokes on an iPhone
![Page 39: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/39.jpg)
Web Application Social Engineering Vulnerabilities 39
BeEF Details• Included in BackTrack• Works best when used with a persistent cross-site scripting
vulnerability• BeEF is a good resource to demonstrate bad things you can do
with JavaScript• Useful as a proof of concept tool
![Page 40: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/40.jpg)
Web Application Social Engineering Vulnerabilities 40
Social Engineering Toolkit
![Page 41: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/41.jpg)
Web Application Social Engineering Vulnerabilities 41
Social Engineering Toolkit (SET)• One of the best ways to remotely compromise a fully patched,
fully protected host• The Java Applet web attack vector will get through just about
anything• Setup a SET listener on external host• Send victim a URL redirect / put link on twitter or Facebook• Use with XSS
![Page 42: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/42.jpg)
Web Application Social Engineering Vulnerabilities 42
Mega Demo• Leveraging everything we’ve learned• Persistent XSS redirects user to Wordpress login – steals
credentials with keystroke logger• Wordpress site then redirects to SET Java applet page• SET host has an IDN hostname• Windows 7 host is compromised
![Page 43: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/43.jpg)
Web Application Social Engineering Vulnerabilities 43
Tools Used
![Page 44: Web Application Social Engineering Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022081414/54c43db44a7959742b8b45a7/html5/thumbnails/44.jpg)
Thank you!
Web Application Social Engineering Vulnerabilities 44
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
http://www.symantec.com/connect/symantec-blogs/the-security-advisor