Endpoint
7/20/2009
03:53 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Two Newly Disclosed Hacks Prey On Browser, Web Security

New cross-site request forgery (CSRF) proof-of-concept and Firefox 3.5 hacking tool released

Browser security is still a work in progress, and a pair of new attacks is putting more pressure on already-strained defenses: one hacks protections against cross-site request forgery (CSRF), and another pokes holes in a new browser feature in order to break into intranets.

Researchers Inferno and RSnake separately released their work -- Inferno, a proof-of-concept for finding CSRF defense "tokens" by launching a silent brute-force attack on a client's browser, and RSnake (a.k.a. Robert Hansen), CEO of SecTheory, a new tool that goes after Firefox 3.5's new feature for mashups within Web applications.

Inferno posted a proof-of-concept over the weekend that demonstrates how to grab a CSRF token -- basically a security feature assigned to a user that protects against CSRF attacks -- from a user to wage a CSRF attack. His method goes after the client, based on the so-called XSS History Hack that researcher and WhiteHat Security CTO Jeremiah Grossman revealed three years ago.

"Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server," Inferno blogged, mainly because such an attack would be noisy and therefore easily detectable by an intrusion-detection system (IDS) or Web application firewall (WAF). "Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values."

Inferno's client-side attack generates very little traffic, however, so it goes unnoticed by the IDS and WAF, he says. It brute-force hacks sets of URLs in the browser's history to find the user's CSRF token. Once the attacker has the token, he can bypass CSRF protections.

But "unless I, as an attacker, have your session ID [cookie], I can't figure out what your token is," WhiteHat's Grossman says. "And if I do get your session ID...then, well, you've got bigger problems."

CSRF attacks have been relatively rare, mainly because XSS bugs are so prevalent in Web applications and XSS bugs can be used to get past CSRF defenses, anyway, Grossman says. "So when XSS goes away, these [CSRF] attacks will become more common," he says. "If you can't find an XSS [flaw] on the target Website, this technique is something to put in the toolbox."

But Michael Sutton, vice president of security research at Zscaler, notes this new CSRF hack has its limitations -- namely the number of characters in the token. "While the technique has some value for an attacker, it would have limited application given the restriction that the token be no more than five characters and be included in the URI [uniform resource identifier]," he says. "It is common for such tokens to have a greater length and be passed in cookies or hidden form fields."

RSnake, meanwhile, has built a tool that pokes a hole in Firefox 3.5's cross-origin resource sharing (CORS) feature, which lets your server call other servers for mashing up content, for instance. Mozilla has built defenses into CORS to prevent abuse, such as an opt-in measure, but RSnake says he found a way to work around those defenses. "The server that is going to have information pulled from it has some information that tells the browser it's OK to pull this information and return it to the browser's [domain]," he says.

The XMLHttpRequest ping-sweeping tool can basically point the user's browser back at his or her internal network. The attacker can tell if an intranet site is behind the browser given the time it takes the site to respond, or not. "If I can tell the difference between the time that a page can be contacted and the time a browser times out because the connection can't be reached, it turns into an internal 'ping,'" RSnake says. "And it lets the browser see what machines are live and not live.

"By getting them to visit a page that's under my control -- via XSS or otherwise -- I can get the user to perform this pseudo ping-sweep. That would enable me to see the layout of the inside of someone's home or office network if they were running Firefox 3.5 or higher with JavaScript enabled globally."

But this is only a first step in an intranet attack, RSnake says. "All I can see is a server sitting there " I can't see the pages," he says. "But I now know which servers are there and can do a targeted attack on those IP addresses using the cross-domain address."

"CORS could make JavaScript intranet hacking -- an issue that is still unaddressed by browser vendors -- more stealthy," WhiteHat's Grossman adds.

Zscaler's Sutton, meanwhile, says this is yet another port-scanning method for an attacker. "There are other hacks which can permit intranet port scanning, such as those using XSS," Zscaler's Sutton says. "This is yet another port-scanning technique for an attacker to add to their toolkit -- although it is fairly limited in scope at this point being restricted to Firefox 3.5."

RSnake says he didn't test the attack on Internet Explorer 8.0's similar feature, XDomainRequest. Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.