Presentation is loading. Please wait.

Presentation is loading. Please wait.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

Published byHilary Fletcher Modified over 9 years ago

Similar presentations

Presentation on theme: "IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The."— Presentation transcript:

1 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The OWASP Foundation OWASP http://www.owasp.org 27/02/2009 Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish

2 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 2 Agenda  Background –Man in the Middle –Network level – heavily researched –Web application level – sporadic research  Outline –Passive MitM attacks –Active MitM attacks –Penetrating an internal network –Remediation

3 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 3 Man in the Middle Scenario  All laptop users connect to a public network  Wireless connection can easily be compromised or impersonated  Wired connections might also be compromised Internet Internet

4 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 4 Rules of Thumb – Don’ts …  Someone might be listening to the requests –Don’t browse sensitive sites –Don’t supply sensitive information  Someone might be altering the responses –Don’t trust any information given on web sites –Don’t execute downloaded code

5 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 5 Rules of Thumb – What Can You Do?  This leaves us with: –Browse your favorite news site –Browse your favorite weather site Internet Internet Non-sensitive sites Boring Non-sensitive sites Boring Sensitive sites Interesting Sensitive sites Interesting

6 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 6 You are still vulnerable

7 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 7 Mitigating a Fallacy  Fallacy –Executing JavaScript on victim == executing an attack  Reality –Same origin policy –Executing an attack –JavaScript + browser implementation bug –JavaScript + execution on a specific domain –Can be done through XSS

8 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 8 Passive Man in the Middle Attacks Victim browses to a website Attacker views the request manipulates it and forwards to server Attacker views the response manipulates it and forwards to victim Server returns a response Other servers are not affected

9 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 9 Active Man in the Middle Attack  The attacker actively directs the victim to an “interesting” site  The IFrame could be invisible Victim browses to a “boring” site Attack transfers the request to the server Attacker adds an IFRAME referencing an “interesting” site Server returns a response My Weather Channel My Bank Site Automatic request sent to the interesting server My Bank Site Other servers are not affected

10 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 10

11 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 11 Stealing Cookies* Automatic request contains victim’s cookies  Obvious result  Stealing cookies associated with any domain attacker desires  Will also work for HTTP ONLY cookies (as opposed to XSS attacks) * A similar attack was presented by Mike Perry – SideJackingSideJacking

12 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 12 Demo

13 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 13 Overcoming Same Origin Policy Attacker adds a malicious script to the response Attacker adds a malicious script to the response Attacker forwards the automatic request to the “interesting” server Script executes with the “interesting” server’s restrictions “Interesting” server returns a response Attacker injects an IFRAME directing to an “interesting” site Victim surfs to a “boring” site Automatic request sent to the interesting server  Result –Attacker can execute scripts on any domain she desires –Scripts can fully interact with any “interesting” website  Limitations –Will only work for non SSL web sites

14 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 14 Secure Connections Login Mechanism

15 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 15 Secure Connections Please Login Username Password SUBMIT jsmith ******** SUBMIT Victim browses to site http://www.webmail.site Victim browses to site http://www.webmail.site Site returns a response with login form Victim fills login details, and submits the form Login request is sent through a secure channel Login Successful Hello John Smith,  Pre-login action sent in clear text  Attacker could alter the pre-login response to make the login request sent unencrypted

16 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 16 Stealing Auto Completion Information Script accesses the auto-completion information using the DOM Attacker redirect victim to a request to a pre-login page Attacker returns the original login form together with a malicious script * A passive version of this attack was described by RSnake in his blogblog  Result –Attacker can steal any auto-completion information she desires  Limitations –Will only work for pre-login pages not encrypted –Will not work seamlessly in IE

17 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 17 Demo

18 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 18 Broadening the Attack (Time Dimension)

19 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 19 Passive MitM Attacks Active MitM Attacks Present (“boring” sites) Present (“boring” sites) Past (“interesting” sites) Past (“interesting” sites) Future (“interesting” sites) Future (“interesting” sites)

20 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 20 Session Fixation Cookie is being saved on victim’s computer Attacker redirects victim to the site of interest Attacker returns a page with a cookie generated by server A while later, victim connects to the site (with the pre-provided cookie) A while later, victim connects to the site (with the pre-provided cookie) Attacker uses the same cookie to connect to the server Server authenticates attacker as victim  Result –Attacker can set persistent cookies on victim  Limitations –The vulnerability also lies within the server

21 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 21 Cache Poisoning Page is being cached on victim’s computer Attacker redirects victim to the site of interest Attacker returns a malicious page with cache setting enabled A while later, victim visits the site A while later, victim visits the site  Result –Attacker can poison any page she desires –Poisoned pages will be persistent  Limitations –Attacker can poison non SSL resources

22 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 22 Complex Hacking Intranet Networks

23 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 23 Penetrating Internal Network – Simple Cache Poison  Result  Attack will be launched every time victim accesses the resource  The attack would executed within the local intranet  Characteristics  Firewall protections are helpless  Affected servers will never know  The attack is persistent

24 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 24 Setting Up a Future MitM Scenario  Result  Facilitates future MitM scenarios  Does not require router’s credentials  Fake settings could be displayed to the user  Limitations  Requires victim to access router in the future  Need to guess router’s address (10.0.1.1) Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Router Victim’s router related cache poisoned with a malicious script Script hides the configuration changes Malicious script executed when victim tries to access router Script configures router to tunnel future communication through attacker Outbound Proxy IP Address 216 187 118 221... Primary DNS Server Address 216 187 118 221...

25 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 25 Increasing the Exposure  Poison common home pages –Script will execute every time victim opens his browser  Poison common scripts –Script will execute on every page using the common script –Example: http://www.google-analytics.com/ga.jshttp://www.google-analytics.com/ga.js  The “double active” attack –Common poisoned page redirects to another poisoned resource.JS

26 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 26 The Double Active Cache Poisoning Attack Using Active MitM techniques, attacker poisons common router’s address (i.e. 10.0.1.1) Using Active MitM techniques, attacker poisons common router’s address (i.e. 10.0.1.1) At a later time, Victim opens browser At a later time, Victim opens browser Cached home page is loaded and redirects victim’s browser to router’s web interface Cached router’s web interface is loaded and malicious script changes router’s settings  Result  Internal network has been compromised  Limitation  Need to guess router IP and credentials Attacker also poisons common home pages Router Router is compromised by malicious script

27 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 27 Active Attack Characteristics –Not noticeable in user’s experience –Not noticeable by any of the web sites –IPS/IDS will not block it –Can be persistent –Can be used to hack into local organization –Bypasses any firewall or VPN –Can be used with DNS Pinning Techniques –A problem with the current design –Requires only one plain HTTP request to be transmitted

28 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 28 Remediation  Users –Do not use auto-completion –“Clean Slate Policy” –Trust level separation –Two different browsers –Two different users –Two different OS –Virtualization products –Tunnel communication through a secure proxy –Might not be allowed in many hot-spots

29 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 29  Web owners –Consider risks of partial SSL sites –Do not consider secure VPN connection as an SSL replacement –Use random tokens for common scripts –While considering performance issues –Avoid referring external scripts from internal sites

30 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 30  Industry –Build integrity mechanism for HTTP –Secure WiFi networks

31 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 31 Summary  Active MitM attacks– broaden the scope of the passive attacks –Design issues –Dimension of time –Past (steal cookies, auto-completion information, cache) –Future (set up cookies, poison cache, poison form filler) –Penetrating internal networks –Persistent –Bypass any current protection mechanisms  More information: –Paper and presentation will be uploaded to our blog: http://blog.watchfire.com

32 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 32 References  Watchfire’s Blog:  http://blog.watchfire.com http://blog.watchfire.com  Wireless Man in the Middle Attacks: –http://www.informit.com/articles/article.aspx?p=353735&seqNum=7http://www.informit.com/articles/article.aspx?p=353735&seqNum=7  SideJacking: –http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.htmlhttp://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html  More on SideJacking: –http://erratasec.blogspot.com/2008/01/more-sidejacking.htmlhttp://erratasec.blogspot.com/2008/01/more-sidejacking.html  Active SideJacking: –http://seclists.org/bugtraq/2007/Aug/0070.htmlhttp://seclists.org/bugtraq/2007/Aug/0070.html  Surf Jacking –http://resources.enablesecurity.com/resources/Surf%20Jacking.pdfhttp://resources.enablesecurity.com/resources/Surf%20Jacking.pdf  Stealing User Information: –http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/

33 IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 33 Thank you!

Download ppt "IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Similar presentations

Ads by Google