Presentation is loading. Please wait.

Presentation is loading. Please wait.

Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University.

Published byJonah Davidson Modified over 9 years ago

Similar presentations

Presentation on theme: "Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University."— Presentation transcript:

1 Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University

2 2.2.2 3.3.3 1.1.1 4.4.4 5.5.5 6.6.6 Oscar: the Off-Path Attacker Bob, I love you! Alice Bob, I leave you! Alice

3 Why Off-Path Attacks? Why not MitM (Eavesdropper)?  Harder: physical access or control router Can Oscar spoof IP packets?  Often not: most ISPs ingress-filter  But enough ISPs don’t (18%-22%) What of challenge-response Defense?  Correct use of challenge-response suffices  But: Often, challenge-response used incorrectly Since used for other purposes, e.g., in TCP for SEQ/ACK  This work: Off-Path TCP Injection Allows XSS, phishing and more…

4 Related Work Predictable ISNs: Morris85, Mitnick95, Zalewski01,05  Address-based client authentication vulnerable [Bellovin89] `PoC’ for Windows clients: klm07  We improve (FW, efficiency), extend to exploit QianMao12, QMXie12: (limited) malware  QM12: Also assumes seq#-checking-fw  Does not work for Windows clients

5 Attack Scenario and Goal 1. Alice surfs to Oscar’s site 2. Alice’s browser runs Oscar’s script (puppet) 3. Puppet sends HTTP requests to Bob 4. Oscar injects response into the connection between Alice and Bob (est. by the puppet) Internet 1. Surf to Oscar.com 2. Send page with script 3. Script opens (hidden) frame of Bob.com 4. Inject (e.g., script) as content from Bob

6 Attack Goal and Scenario Alice’s browser assigns Oscar’s spoofed response with context of `Bob’  Can contain script: cross site scripting (XSS)  Request objects: cross site request forgery (CSRF)  Spoof a web-page, response may be cached

7 What Do We Need? Grocery List Task #1: identify the `victim-connection’ between Alice and Bob  Spoofed data needs to correspond with a real connection Task #2: learn sequence numbers  TCP discards packets with invalid seq # Task #3: exploit  Send (spoofed) data in correct HTTP context  Browser assigns data the credentials of server (Bob)

8 Attack and Talk Overview Learn connection identifiers (IPs:ports) Learn server’s sequence number Learn client’s sequence number Exploit(s):  XSS  CSRF  Phishing Conclusions

9 Identify Victim-Connection A TCP connection has four Identifiers:  Puppet opens connection to Bob (server)  ServerIP:port selected by puppet (attacker)  Client IP: known from client connection to Oscar Client port: sequentially assigned… [Windows] Not sequential? See [GH PETS’12]

10 Learning client port: non-seq’, w FW

11 Finding Server Sequence Number TCP sequence numbers are 32-bits  that’s too long to guess Need to learn the sequence #. How?  Use TCP responses to probe packets Empty-ACK packets provide useful response:  If seq# out of WIN: send ACK to re-sync  If seq# is in WIN: no response to avoid `ACK storm’

12 Finding Server Sequence Number How to detect if response is sent?  Use IP-ID side channel IP-ID: 16 bit identifier in IP header  Used to correctly reconstruct packet from fragments  In Windows: implemented as a global-counter  One connection (to Oscar) leaks info about another! Old trick: NMAP’s idle-scan, Bellovin machine-count,…

13 Finding Server Sequence Number 1. Puppet opens connection to server 2. Oscar sends query-probe-query: 1. Query: unordered 1-byte packets  ACK (ipid) 2. Probe (srcIP = server): empty-ACK with seq# = i∙w w is estimate of WIN size Found  binary search finds exact seq#

14 Attack and Talk Overview Learn connection identifiers (IPs:ports) Learn server’s sequence number Learn client’s sequence number Exploit(s):  XSS  CSRF  Phishing Conclusions

15 Finding Client Sequence Number Already know server seq# (and IPs, ports)  This should have been enough to inject (according to TCP spec) But Windows implementations (as of XP SP2) also validate the ack number of packets The valid ack# is the client’s seq#

16 Finding Client Sequence Number To find client seq#: send pkt w/ data  With server’s IP:port, correct seq#  TCP’s handling depends on ack# For Windows clients:  Silently discards pkt with `old` ack number  Otherwise: send ACK Leaks: ack#>UNA Binary search… UnAcked Next Process Windows: silently discard RFC: Process (often, ack) Discard and send duplicate Ack

17 TCP Injection: Challenges Firewall passing: Ok Lost probes: double-check `no-ack` events Lost query/answer: detect via TCP’s Acks Irrelevant packet sent (IP-ID incremented): repeat `suspect tests’ Not too many extra checks (or failures)… Results…

18 Attack and Talk Overview Learn connection identifiers (IPs:ports) Learn server’s sequence number Learn client’s sequence number Exploit(s):  XSS  CSRF  Phishing Conclusions

19 Exploiting Injections: XSS, CSRF Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com  Typical XSS: exploit bug in site or browser  Off-path-injected XSS: no need for vulnerable site/browser! Script can post fake HTTP requests (CSRF)

20 Exploiting Injections: XSS, CSRF Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com  Typical XSS: exploit bug in site or browser  Off-path-injected XSS: no need for vulnerable site/browser!

21 XSS Exploit: Results Top 1024 sites, 10Mb win clients, 1Mb Oscar Average 32 pkts/s `noise` Immune sites: mostly SSL or non-persistent

22 Exploiting Injections: XSS, CSRF Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com  Circumvents the Same Origin Policy (SOP)  Known XSS: exploit bug in site or browser  Off-path-injected XSS: no need in bug!  Can post fake requests – like CSRF  Circumvents: SOP, origin header, CSP, referrer… Steps:  Est. connection from puppet, find port, SEQ, ACK  Puppet: http://victim.com  Attacker: spoofs response (with MalScript)

23 Phishing by Injection Off-path XSS, CSRF may fail:  To collect user-entered data, e.g., passwords  Esp. if site uses SSL for passwords Alternative: phish / deface !  Change contents: steal PWDs, push malware… Cache spoofed page  at local browser or network proxy User receives the spoofed page when he/she expects real page

24 Phishing by Injection Off-path XSS, CSRF may fail:  To collect user-entered data, e.g., passwords  Esp. if site uses SSL for passwords Alternative: phish / deface !  Change contents: steal PWDs, push malware…

25 Conclusions TCP may not be secure against off-path attackers!  Use `real’ security: SSL/TLS, IPsec, etc Attacks may be improved, abused further…

26 Thank You! Special thank you to CPIIS for supporting my research Questions?

Download ppt "Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao

EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
3-1 Transport services and protocols r provide logical communication between app processes running on different hosts r transport protocols run in end.

3-1 Transport services and protocols r provide logical communication between app processes running on different hosts r transport protocols run in end.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.

Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.

CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.

Similar presentations

Ads by Google