Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cookiejacking Rosario Valotta. Rosario Valotta Cookiejacking Agenda Me, myself and I The IE security zones IE 0-day Overview on UI redressing attacks.

Published byRaymond Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "Cookiejacking Rosario Valotta. Rosario Valotta Cookiejacking Agenda Me, myself and I The IE security zones IE 0-day Overview on UI redressing attacks."— Presentation transcript:

1 Cookiejacking Rosario Valotta

2 Rosario Valotta Cookiejacking Agenda Me, myself and I The IE security zones IE 0-day Overview on UI redressing attacks Solving the jigsaw The big picture Demo

3 Rosario Valotta Cookiejacking Me, myself and I Day time: IT professional, mobile TLC company, Rome, Italy Night time: web security fan since 2007, released a bunch of advisories and PoCs: Nduja Connection: first ever cross domain XSS worm Critical Path Memova : 40 Millions users worldwide affected WMP: information gathering and intranet scanning OWA: CSRF Blog: http://sites.google.com/site/tentacoloviola/

4 Rosario Valotta Cookiejacking Overview on IE security zones In IE, a web site is assigned to a security zone Sites in the same security zone behave the same way according to security privileges 5 default zones: Local Machine Zone Local Intranet Zone Trusted Sites Zone Internet Zone Restrited Sites Zone Security profiles: A collection of security privileges that can be granted to each given zone Predefined: High, Medium, Medium-Low, Low Customized Privileges: ActiveX & plugins Downloads User authentication Scripting Cross zone interaction Decreasing security privileges Hidden by default

5 Rosario Valotta Cookiejacking Cross Zone Interaction By rule of thumb a web content belonging to a less privileged zone cannot access content belonging to more privileged zone So it should be impossible for a web content to access local machine files. It should be. Access denied

6 Rosario Valotta Cookiejacking Do not open that folder…aka IE 0-day What? Cookies folder of the user currently logged All kind of cookies: HTTP Only Secure (HTTPS) cookie Any website Where? Works on IE 6,7, 8 (also protected mode) Tested on XP SP3, Vista, 7

7 Rosario Valotta Cookiejacking Of coordinated discosure and other oddities… January 28th Disclosed to MSRC IE 9 beta still vulnerable March 14°: f irst official release of IE9 IE9 not vulnerable Two weeks ago New attack vector found, works also on IE9

8 Rosario Valotta Cookiejacking Find a way to access cookies Load arbitrary cookies into an iframe Guess victim’s username Guess victim’s OS document.getElementById(‘myId’).contentWindow. document.innerHTML Access denied file:///C:/Documents and Settings/user/Cookies/user@site.txt Where do we go from here? The path of the cookie folder depends on the username currently logged on Same Origin Policy will block any programmatic access to a local iframe content from web domains Different OSs store cookies in different paths: Windows XP  C:/Documents and Settings/user/Cookies/ Vista and 7  C:/Users/user/AppData/Roaming/ Microsoft/Windows/Cookies/Low/

9 Rosario Valotta Cookiejacking Clickjacking aka UI Redressing attack Introduced by Jeremiah Grossman and Robert Hansen in 2008 It’s all about: Iframes overlapping CSS opacity opacity=0; z-index=1 opacity=100; z-index=0 The basic approach: Iframe properly positioned Iframe made invisible User clicks “hijacked” User interaction is needed, SOP is not triggered Advanced scenario: content extraction (Paul Stone, 2010) z-axis Social engineer a victim Select content from a legitimate 3rd party page Drag&drop content in an attacker controlled element Steal sensitive HTML contents Links and Images are converted in URLs event.dataTransfer.getData(“Text”)

10 Rosario Valotta Cookiejacking A B Advanced Clickjacking: content extraction Third party iframe is positioned on the start point of the selection  A The victim starts to select content (e.g. text or html) Third party iframe is positioned on the end point of the selection  B The victim stops selecting Third party iframe is positioned somewhere between A and B The victim drags the selected content into an attacker controlled iframe The technique is made up of 6 steps:

11 Rosario Valotta Cookiejacking Insights Iframe loads cookie text file (0-day) Ball image overlapped on the iframe Content extraction technique Attacks mash-up: how the SOP was won Find a way to access cookies Load arbitrary cookies into an iframe Opacity=0 Z-index=1 Opacity=100 Z-index=0

12 Rosario Valotta Cookiejacking Missing pieces Find a way to access cookies Load arbitrary cookies into an iframe Guess victim’s username Guess victim’s OS file:///C:/Documents and Settings/user/Cookies/user@site.txt The path of the cookie folder depends on the username currently logged on Different OSs store cookies in different paths: Windows XP  C:/Documents and Settings/user/Cookies/ Vista and 7  C:/Users/user/AppData/Roaming/ Microsoft/Windows/Cookies/Low/ Optimize content extraction Drag & drop API doesn’t work well across browsers Two different dragging actions required in order to: select content drag&drop it out of the iframe

13 Rosario Valotta Cookiejacking Drag & drop Drag & drop APIs Acknowledged as one of the innovations introduced in HTML5 Not formally part of latest HTML5 draft Based on Microsoft’s original implementation available on IE 5 Not fully supported on IE 6,7,8 Custom implementation on http://www.useragentman.comhttp://www.useragentman.com Works well on all IE versions Custom effects: drag feedback image, cursor shape change, etc

14 Rosario Valotta Cookiejacking Advanced content extraction Two nested iframes defined in the attacker page Iframes sizes properly defined in order to ensure that scrolling is needed for the cookie (B content) to completely come into view E.g. A.height=100; B.height=500 The sequence: User moves the mouse over the B iframe When user clicks down the mouse button the “onfocus” event is triggered The scrollspeed property of the iframe A is set to 100 With the mouse button down and the iframe B scrolling into iframe A, the final effect is that the user is selecting text as long as the mouse button is clicked If the scrollspeed is big enough, a single click time is enough to select the whole cookie content First drag action (content selection) collapsed in a click goes here. You must set the iframe height to ensure that scrolling is needed to completey select the content A Cookie content B onfocus=“scrollspeed=100”

15 Rosario Valotta Cookiejacking Missing pieces Find a way to access cookies Load arbitrary cookies into an iframe Guess victim’s username Guess victim’s OS file:///C:/Documents and Settings/user/Cookies/user@site.txt The path of the cookie folder depends on the username currently logged on Different OSs store cookies in different paths: Windows XP  C:/Documents and Settings/user/Cookies/ Vista and 7  C:/Users/user/AppData/Roaming/ Microsoft/Windows/Cookies/Low/ Optimize content extraction

16 Rosario Valotta Cookiejacking I know your (user)name Exploit a “feature” of IE (already discussed by Jorge Medina in 2010) IE supports access to file system objects on SMB shares Uses UNC (Universal Naming Convention) paths to reference them Can be used without restrictions inside web pages in the Internet zone or above Anonymous access is tried first Anonymous access is denied NTLM Challenge/Response Negotiation Windows Username, Windows Computer Name, Windows Domain Capture.pl

17 Rosario Valotta Cookiejacking Missing pieces Find a way to access cookies Load arbitrary cookies into an iframe Guess victim’s username Guess victim’s OS Different OSs store cookies in different paths: Windows XP  C:/Documents and Settings/user/Cookies/ Vista and 7  C:/Users/user/AppData/Roaming/ Microsoft/Windows/Cookies/Low/ Optimize content extraction

18 Rosario Valotta Cookiejacking Little dirty secrets The OS version can be retrieved through a little JS: XP = navigator.userAgent.indexOf("Windows NT 5.1"); Vista= navigator.userAgent.indexOf("Windows NT 6.0"); Win7= navigator.userAgent.indexOf("Windows NT 6.1"); Is the cookie valid? True if the victim is logged on a given website Guess if a victim is logged using a “probing” approach (Jeremiah Grossman, 2006) Dynamic attack setup Probing for user authentication Only define iframes to load valid cookies (1 iframe loads 1 cookie)

19 Rosario Valotta Cookiejacking Ready to pown… Find a way to access cookies Load arbitrary cookies into an iframe Guess victim’s username Guess victim’s OS Optimize content extraction

20 Rosario Valotta Cookiejacking The big picture A page containing is served Victim’s browser requests img and send Windows username Victim is cookiejacked and sends his cookies Index.html Capture.pl User.txt Redir.pl Onerror event the browser is redirected to a perl script dragPoc.html #username The script read the username sniffed and redirects the browser to the PoC page with the hash value set to username Collect.php

21 Rosario Valotta Cookiejacking The perfect PoC - appealing “content” + - willingly “interact” with her

22 Rosario Valotta Cookiejacking Conclusions Cookiejacking: a new kind of UI redressing attack, exploiting a 0-day vulnerability in all versions of IE, all version of Windows boxes Allows an attacker to steal session cookies, no XSS needed Web site independent: it ’ s a browser flaw Current countermeasures against Clickjacking don ’ t work with Cookiejacking Think about using Flash … It ’ s supposed to last for a long time: there is a huge installation base all over the world

23 Rosario Valotta Cookiejacking Thank you.

Download ppt "Cookiejacking Rosario Valotta. Rosario Valotta Cookiejacking Agenda Me, myself and I The IE security zones IE 0-day Overview on UI redressing attacks."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Security researcher finds 'cookiejacking' risk in IE 報告者:劉旭哲.

Security researcher finds 'cookiejacking' risk in IE 報告者:劉旭哲.
Passwords suck Nico Smit November 2014. “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.

Passwords suck Nico Smit November “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd

Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Similar presentations

Ads by Google