Endpoint
7/20/2009
03:53 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Two Newly Disclosed Hacks Prey On Browser, Web Security

New cross-site request forgery (CSRF) proof-of-concept and Firefox 3.5 hacking tool released

Browser security is still a work in progress, and a pair of new attacks is putting more pressure on already-strained defenses: one hacks protections against cross-site request forgery (CSRF), and another pokes holes in a new browser feature in order to break into intranets.

Researchers Inferno and RSnake separately released their work -- Inferno, a proof-of-concept for finding CSRF defense "tokens" by launching a silent brute-force attack on a client's browser, and RSnake (a.k.a. Robert Hansen), CEO of SecTheory, a new tool that goes after Firefox 3.5's new feature for mashups within Web applications.

Inferno posted a proof-of-concept over the weekend that demonstrates how to grab a CSRF token -- basically a security feature assigned to a user that protects against CSRF attacks -- from a user to wage a CSRF attack. His method goes after the client, based on the so-called XSS History Hack that researcher and WhiteHat Security CTO Jeremiah Grossman revealed three years ago.

"Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server," Inferno blogged, mainly because such an attack would be noisy and therefore easily detectable by an intrusion-detection system (IDS) or Web application firewall (WAF). "Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values."

Inferno's client-side attack generates very little traffic, however, so it goes unnoticed by the IDS and WAF, he says. It brute-force hacks sets of URLs in the browser's history to find the user's CSRF token. Once the attacker has the token, he can bypass CSRF protections.

But "unless I, as an attacker, have your session ID [cookie], I can't figure out what your token is," WhiteHat's Grossman says. "And if I do get your session ID...then, well, you've got bigger problems."

CSRF attacks have been relatively rare, mainly because XSS bugs are so prevalent in Web applications and XSS bugs can be used to get past CSRF defenses, anyway, Grossman says. "So when XSS goes away, these [CSRF] attacks will become more common," he says. "If you can't find an XSS [flaw] on the target Website, this technique is something to put in the toolbox."

But Michael Sutton, vice president of security research at Zscaler, notes this new CSRF hack has its limitations -- namely the number of characters in the token. "While the technique has some value for an attacker, it would have limited application given the restriction that the token be no more than five characters and be included in the URI [uniform resource identifier]," he says. "It is common for such tokens to have a greater length and be passed in cookies or hidden form fields."

RSnake, meanwhile, has built a tool that pokes a hole in Firefox 3.5's cross-origin resource sharing (CORS) feature, which lets your server call other servers for mashing up content, for instance. Mozilla has built defenses into CORS to prevent abuse, such as an opt-in measure, but RSnake says he found a way to work around those defenses. "The server that is going to have information pulled from it has some information that tells the browser it's OK to pull this information and return it to the browser's [domain]," he says.

The XMLHttpRequest ping-sweeping tool can basically point the user's browser back at his or her internal network. The attacker can tell if an intranet site is behind the browser given the time it takes the site to respond, or not. "If I can tell the difference between the time that a page can be contacted and the time a browser times out because the connection can't be reached, it turns into an internal 'ping,'" RSnake says. "And it lets the browser see what machines are live and not live.

"By getting them to visit a page that's under my control -- via XSS or otherwise -- I can get the user to perform this pseudo ping-sweep. That would enable me to see the layout of the inside of someone's home or office network if they were running Firefox 3.5 or higher with JavaScript enabled globally."

But this is only a first step in an intranet attack, RSnake says. "All I can see is a server sitting there " I can't see the pages," he says. "But I now know which servers are there and can do a targeted attack on those IP addresses using the cross-domain address."

"CORS could make JavaScript intranet hacking -- an issue that is still unaddressed by browser vendors -- more stealthy," WhiteHat's Grossman adds.

Zscaler's Sutton, meanwhile, says this is yet another port-scanning method for an attacker. "There are other hacks which can permit intranet port scanning, such as those using XSS," Zscaler's Sutton says. "This is yet another port-scanning technique for an attacker to add to their toolkit -- although it is fairly limited in scope at this point being restricted to Firefox 3.5."

RSnake says he didn't test the attack on Internet Explorer 8.0's similar feature, XDomainRequest. Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.