Web Application Social Engineering Vulnerabilities
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Web Application Social Engineering Vulnerabilities

  • 1,912 views
Uploaded on

In this presentation from Triangle Infosecon 2011, we discuss common web application vulnerabilities which could be leveraged for social engineering attacks.

In this presentation from Triangle Infosecon 2011, we discuss common web application vulnerabilities which could be leveraged for social engineering attacks.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,912
On Slideshare
1,714
From Embeds
198
Number of Embeds
1

Actions

Shares
Downloads
16
Comments
0
Likes
0

Embeds 198

http://blog.mattcooley.com 198

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • This is a sample Agenda/Preview slide. This slide is ideal for setting the scene at the beginning of your presentation by providing a big picture overview of what you plan to cover. To Change Titles in Shapes (i.e.: “Text here”):Select text. (Optional: Press Delete.) Begin typing desired text.To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar. Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab.To Change a Shape’s Fill Color:Select the desired object by clicking once on its edge. On the Home tab, click the Shape Fill button within the Drawing group to select a theme color from the Symantec color palette. To Delete a Shape:Select the desired object by clicking once on its edge. Press the Delete key on your keyboard.To Copy a Text Box or Shape:Select the text box or shape. Note: Make sure to select the entire object, not just the text, by clicking the edge of the text box or shape.Type Ctrl C (copy), click outside object, then type Ctrl V (paste) to place the object. Click and drag the pasted object to desired location.

Transcript

  • 1. Web Application Social EngineeringVulnerabilitiesMatt CooleyLead Security Advisory AnalystSymantec Security Strategy & Advisory Services
  • 2. Agenda 1 Overview 2 Homograph Attacks 3 Web Application Vulnerabilities 4 DemonstrationWeb Application Social Engineering Vulnerabilities 2
  • 3. Presentation Overview• This presentation will demonstrate some attacks that can be used to target users and administrators of web applications.• You will learn techniques attackers use to steal money and sensitive data while going undetected.Web Application Social Engineering Vulnerabilities 3
  • 4. Domain Spoofing Homograph AttacksWeb Application Social Engineering Vulnerabilities 4
  • 5. Domain Name Spoofing• Wait, that’s not a web application vulnerability• No, but it’s a tool in our toolbox which we will use to make our attacks more convincingWeb Application Social Engineering Vulnerabilities 5
  • 6. Internationalized Domain Names (IDN)httphttp://例子.测试http://παράδειγμα.δοκιμήhttp://пример.испытаниеhttpWeb Application Social Engineering Vulnerabilities 6
  • 7. The problem is, this is also an Internationalized Domain Name: miсrоsоft.com This is not: microsoft.comWeb Application Social Engineering Vulnerabilities 7
  • 8. When Homographs AttackWeb Application Social Engineering Vulnerabilities 8
  • 9. Homograph Attacks – A Brief History 2002 – Paper by Gabrilovich and Gontmakher • Revealed that it was possible to register a domain containing non-Latin characters which would appear indistinguishable from a legitimate domain name. microsoft.com (authentic) miсrоsоft.com (Russian letters ‘c’ and ‘o’) • с = Unicode Character CYRILLIC SMALL LETTER ES (U+0441) • о = Unicode Character CYRILLIC SMALL LETTER O (U+043E)http://www.cs.technion.ac.il/~gabr/papers/homograph.html Web Application Social Engineering Vulnerabilities 9
  • 10. Web Browsers Were Fixed.. Kinda 2005 – Shmoo Group revisits homograph attacks • Found that homograph attack prevention in browsers was applied inconsistently and spoofing issues could be exploited in Firefox, Safari, and Opera www.paypal.com (the real site) • a = Unicode Character LATIN SMALL LETTER A (U+0061) www.pаypal.com (Shmoo’s site) • а = Unicode Character CYRILLIC SMALL LETTER A (U+0430)http://www.shmoo.com/idn/homograph.txt Web Application Social Engineering Vulnerabilities 10
  • 11. Still not fixed 2009 – Chris Weber discloses IDN spoofing issue with Safarihttps://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdfhttp://support.apple.com/kb/ht3733 Web Application Social Engineering Vulnerabilities 11
  • 12. Today • All popular browsers implement their own policies for how IDN’s should be displayed in the address bar • If a Unicode IDN doesn’t pass the browser’s policy for display, it will be displayed in Punycode – should raise suspicion • Safari and mobile Safari have more permissive rules than Chrome, Firefox, Internet Explorerhttp://www.idnnews.com/?p=8760 Web Application Social Engineering Vulnerabilities 12
  • 13. These are all the same domain Chrome 14.0 Windows Firefox 7.0 Windows Internet Explorer 9.0 Windows Android 2.2 Safari 5.1 Windows Safari 5.0.2 iPhone Opera Mini 6.0 iPhoneWeb Application Social Engineering Vulnerabilities 13
  • 14. Safari’s IDN Handling Policy • There is a white list file containing permitted IDN character sets. It is up to the user to maintain the list • /System/Library/Frameworks/WebKit.framework/Versions/A/R esources/IDNScriptWhiteList.txt • C:Program FilesSafariSafari.resourcesIDNScriptWhiteList.txthttp://support.apple.com/kb/TA22996 Web Application Social Engineering Vulnerabilities 14
  • 15. Safari’s White List# Default Web Kit International Domain Name Script White List.CommonInheritedArabicArmenianBopomofoCanadian_AboriginalDevanagariDeseretGujaratiGurmukhiHangulHanHebrewHiraganaKatakana_Or_HiraganaKatakanaLatinTamilThaiYiWeb Application Social Engineering Vulnerabilities 15
  • 16. Safari has the Weakest IDN Spoofing Protection Policy• So let’s attack SafariWeb Application Social Engineering Vulnerabilities 16
  • 17. My first attempt • sỵmantec.com • xn--smantec-h64c.com (Punycode) • ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT BELOW”Web Application Social Engineering Vulnerabilities 17
  • 18. Somewhat Convincing Spoof in both Punycode andNative Character Formats • xn--microsoft-msft.com (Punycode) • micro̦so̤ft.com • Instead of gibberish in the Punycode format, the text “msft” is used (stock symbol for Microsoft) • If the victim opens the URL in a browser that shows Punycode, they will see this: • Otherwise, they will see this:Web Application Social Engineering Vulnerabilities 18
  • 19. Hmm.. This is interesting • sy̲mantec.com • xn--symantec-rcf.com (Punycode) • Unicode 0x0332 “COMBINING LOW LINE” • Safari in Windows 7 - Underline doesn’t display: Achievement unlocked!Web Application Social Engineering Vulnerabilities 19
  • 20. A fix?Removing “Latin” from the Safari IDN white list causes this:To become this:Web Application Social Engineering Vulnerabilities 20
  • 21. IDN Spoofing on iOS DevicesThe following Unicode characters are not displayable on iOSdevices, but can be registered within an IDN: 夆 U+5906 悞 U+609E 暵 U+66B5 煒 U+7152 譿 U+8B7F 驊 U+9A4A Bonus: They are allowed by Safari’s default white list (Han)Web Application Social Engineering Vulnerabilities 21
  • 22. iOS IDN Spoofing Proof of Concept• www.apple夆.com• www.xn--apple-c94i.com (Punycode)Mobile Safari:Opera Mini:Web Application Social Engineering Vulnerabilities 22
  • 23. Another Neat Trick.. Dot.. Dot.. Dot..• So I was at a restaurant and scanned the QR code on a bottle of ketchup with an iPhone.Web Application Social Engineering Vulnerabilities 23
  • 24. We can register one domain and spoof everything!• 夆. 夆. 夆. 夆.夆夆.com• xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com• www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn-- rrs.xn--rrsa.comWeb Application Social Engineering Vulnerabilities 24
  • 25. iOS Fix?• Apple provides a mechanism for preventing native IDN display with undesirable character sets• So let’s just remove “Han” from the white list file… oh waitWeb Application Social Engineering Vulnerabilities 25
  • 26. QR Codes Let me show you my QR codesWeb Application Social Engineering Vulnerabilities 26
  • 27. Web Application Social Engineering Vulnerabilities 27
  • 28. Combining Homograph Attack with QR Codes• Replace legit QR code with malicious QR code• Victim scans malicious QR code and browser is redirected to attacker’s URL• Attacker’s server examines user agent header• If it is not a vulnerable device, forward them to a legitimate site• Otherwise, spoof the domain and capture info (PROFIT!!!)Web Application Social Engineering Vulnerabilities 28
  • 29. american.xn--redcross-vr0o.comamerican.redcross夆.comWeb Application Social Engineering Vulnerabilities 29
  • 30. Web Application Vulnerabilities Arbitrary URL RedirectionWeb Application Social Engineering Vulnerabilities 30
  • 31. Arbitrary URL Redirection • A common web application vulnerability which can be used to coerce victims into clicking a malicious link • http://<target site>/redirect?url=http://<attacker’s site> • Because the host name in the URI is legitimate, it should pass the trust test • OWASP refers to this vulnerability as “Open redirect” • The difficulty in using this as an exploit is in hiding the true nature of the URL: that it’s directing you to somewhere badhttps://www.owasp.org/index.php/Open_redirect Web Application Social Engineering Vulnerabilities 31
  • 32. URL Redirection with Percent Encoding ObfuscationBefore:• http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://evilhost.comAfter:• http://ourcompany.com/wordpress/wp- login.php?%72%65%64%69%72%65%63%74%5F%74%6F=%68% 74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E% 63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Adminis tratorWeb Application Social Engineering Vulnerabilities 32
  • 33. URL Redirection with IDN Spoofing• http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompanỵ.com/wordpress/mai nOr if targeting iPhone readers:• http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com.xn-- ourcompany-wr7r.com/wordpress/main(xn--ourcompany-wr7r.com = ourcompany夆.com)Web Application Social Engineering Vulnerabilities 33
  • 34. URL Redirection Triple Threat• http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com〳error- %61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6 E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encodin g_Error• This is the redirection target:• http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany- wr7r.com/• Use TinyURL to wrap it all up into a nice giftWeb Application Social Engineering Vulnerabilities 34
  • 35. Web Application Vulnerabilities Cross-Site ScriptingWeb Application Social Engineering Vulnerabilities 35
  • 36. Cross-Site Scripting (XSS)Web Application Social Engineering Vulnerabilities 36
  • 37. Cross-Site Scripting Attack VectorsOld School:• Capture session identifiers to hijack sessionMiddle School:• Capture keystrokes to steal valid credentials and sensitive informationCool School:• Compromise a fully patched and secured hostWeb Application Social Engineering Vulnerabilities 37
  • 38. BeEF Demonstration• Leverage cross-site scripting to log keystrokes on an iPhoneWeb Application Social Engineering Vulnerabilities 38
  • 39. BeEF Details• Included in BackTrack• Works best when used with a persistent cross-site scripting vulnerability• BeEF is a good resource to demonstrate bad things you can do with JavaScript• Useful as a proof of concept toolWeb Application Social Engineering Vulnerabilities 39
  • 40. Social Engineering ToolkitWeb Application Social Engineering Vulnerabilities 40
  • 41. Social Engineering Toolkit (SET)• One of the best ways to remotely compromise a fully patched, fully protected host• The Java Applet web attack vector will get through just about anything• Setup a SET listener on external host• Send victim a URL redirect / put link on twitter or Facebook• Use with XSSWeb Application Social Engineering Vulnerabilities 41
  • 42. Mega Demo• Leveraging everything we’ve learned• Persistent XSS redirects user to Wordpress login – steals credentials with keystroke logger• Wordpress site then redirects to SET Java applet page• SET host has an IDN hostname• Windows 7 host is compromisedWeb Application Social Engineering Vulnerabilities 42
  • 43. Tools UsedWeb Application Social Engineering Vulnerabilities 43
  • 44. Thank you! matt_cooley@symantec.com http://www.symantec.com/connect/symantec-blogs/the-security-advisor Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.Web Application Social Engineering Vulnerabilities 44