Endpoint

7/20/2009
03:53 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Two Newly Disclosed Hacks Prey On Browser, Web Security

New cross-site request forgery (CSRF) proof-of-concept and Firefox 3.5 hacking tool released

Browser security is still a work in progress, and a pair of new attacks is putting more pressure on already-strained defenses: one hacks protections against cross-site request forgery (CSRF), and another pokes holes in a new browser feature in order to break into intranets.

Researchers Inferno and RSnake separately released their work -- Inferno, a proof-of-concept for finding CSRF defense "tokens" by launching a silent brute-force attack on a client's browser, and RSnake (a.k.a. Robert Hansen), CEO of SecTheory, a new tool that goes after Firefox 3.5's new feature for mashups within Web applications.

Inferno posted a proof-of-concept over the weekend that demonstrates how to grab a CSRF token -- basically a security feature assigned to a user that protects against CSRF attacks -- from a user to wage a CSRF attack. His method goes after the client, based on the so-called XSS History Hack that researcher and WhiteHat Security CTO Jeremiah Grossman revealed three years ago.

"Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server," Inferno blogged, mainly because such an attack would be noisy and therefore easily detectable by an intrusion-detection system (IDS) or Web application firewall (WAF). "Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values."

Inferno's client-side attack generates very little traffic, however, so it goes unnoticed by the IDS and WAF, he says. It brute-force hacks sets of URLs in the browser's history to find the user's CSRF token. Once the attacker has the token, he can bypass CSRF protections.

But "unless I, as an attacker, have your session ID [cookie], I can't figure out what your token is," WhiteHat's Grossman says. "And if I do get your session ID...then, well, you've got bigger problems."

CSRF attacks have been relatively rare, mainly because XSS bugs are so prevalent in Web applications and XSS bugs can be used to get past CSRF defenses, anyway, Grossman says. "So when XSS goes away, these [CSRF] attacks will become more common," he says. "If you can't find an XSS [flaw] on the target Website, this technique is something to put in the toolbox."

But Michael Sutton, vice president of security research at Zscaler, notes this new CSRF hack has its limitations -- namely the number of characters in the token. "While the technique has some value for an attacker, it would have limited application given the restriction that the token be no more than five characters and be included in the URI [uniform resource identifier]," he says. "It is common for such tokens to have a greater length and be passed in cookies or hidden form fields."

RSnake, meanwhile, has built a tool that pokes a hole in Firefox 3.5's cross-origin resource sharing (CORS) feature, which lets your server call other servers for mashing up content, for instance. Mozilla has built defenses into CORS to prevent abuse, such as an opt-in measure, but RSnake says he found a way to work around those defenses. "The server that is going to have information pulled from it has some information that tells the browser it's OK to pull this information and return it to the browser's [domain]," he says.

The XMLHttpRequest ping-sweeping tool can basically point the user's browser back at his or her internal network. The attacker can tell if an intranet site is behind the browser given the time it takes the site to respond, or not. "If I can tell the difference between the time that a page can be contacted and the time a browser times out because the connection can't be reached, it turns into an internal 'ping,'" RSnake says. "And it lets the browser see what machines are live and not live.

"By getting them to visit a page that's under my control -- via XSS or otherwise -- I can get the user to perform this pseudo ping-sweep. That would enable me to see the layout of the inside of someone's home or office network if they were running Firefox 3.5 or higher with JavaScript enabled globally."

But this is only a first step in an intranet attack, RSnake says. "All I can see is a server sitting there " I can't see the pages," he says. "But I now know which servers are there and can do a targeted attack on those IP addresses using the cross-domain address."

"CORS could make JavaScript intranet hacking -- an issue that is still unaddressed by browser vendors -- more stealthy," WhiteHat's Grossman adds.

Zscaler's Sutton, meanwhile, says this is yet another port-scanning method for an attacker. "There are other hacks which can permit intranet port scanning, such as those using XSS," Zscaler's Sutton says. "This is yet another port-scanning technique for an attacker to add to their toolkit -- although it is fairly limited in scope at this point being restricted to Firefox 3.5."

RSnake says he didn't test the attack on Internet Explorer 8.0's similar feature, XDomainRequest. Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1944
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-For...
CVE-2018-1945
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click act...
CVE-2018-1946
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the stronges...
CVE-2018-1947
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure withi...
CVE-2018-1948
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to...