Protecting users against XSS-based
password manager abuse
AsiaCCS 2014, Kyoto
Ben Stock, Martin Johns
Agenda
●  Basics on Password Managers
●  Intention & Implementation
●  Automating attacks on Password Managers
●  Analysis...
Password managers and attacks against them
Password managers
●  In a perfect world... one password per site
●  hard task to remember multiple complex passwords
●  So...
Password manager security issues
●  Password manager detects form
●  looks up stored credentials
●  inserts them into form...
Automating attacks
●  Consider XSS attacker (similarly for network attacker)
●  capable of injecting HTML markup (and Java...
Ninja exploitation
7
h.p://ki.enpics.org	
  
Password	
  
Manager	
  
A.acker	
  
Code	
  
Factors for a successful attack
●  URL matching
●  is XSS on any document on the domain sufficent?
●  Form matching
●  can...
Analysis of browsers and applications
What we learned thus far...
●  Automated attacks are dependent on
●  password manager implementations
●  Web application i...
Highlights of built-in password managers*
11
●  URL matching
●  only IE stores the URL, Maxthon does not even store protoc...
Analysis of password fields on the Web
●  Crawl of Alexa Top 4000
●  natural languages matching to detect login forms
●  w...
Summarizing our findings
●  Password managers are quite relaxed in matching criteria
●  XSS on same-domain is sufficient f...
Building a secure password manager
Mismatch in notion/implementations
●  Password Managers should aid in authentication
●  Authentication: "Credentials are s...
Our proposed solution
16
Password
Username
Pwd	
  
Mgr	
   Password
Nonce
Username Username
Pwd	
  
Mgr	
   Password
Usern...
Constraints for this approach
●  Potential pitfalls
●  Attacker changes a form's target
●  posting data to his own server ...
PoC Implementation
Our ExtensionPassword Manager
host=http://localhost, user=user1, pwd=secret
host=http://localhost, user...
PoC Implementation
POST /login.php
Data: user=user1&pwd=nonce
POST /login.php
Data: user=user1&pwd=secret
Our Extension
PO...
Functional evaluation
●  325 domains used JavaScript to access password fields
●  229 domains only check that field is not...
Summary and Conclusion
Summary & Conclusion
●  Most current implementations of password managers
allow for automatic stealing of passwords
●  Cau...
Thank you for your attention!
Special thanks to my student workers Eric Schmall and Armin Stock
●  @kcotsneb
●  http://kit...
Upcoming SlideShare
Loading in...5
×

Protecting Users Against XSS-based Password Manager Abuse

292

Published on

My talk on XSS attacks on password managers as well as a countermeasure as presented at AsiaCCS 2014 in Kyoto

Published in: Engineering, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
292
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Protecting Users Against XSS-based Password Manager Abuse

  1. 1. Protecting users against XSS-based password manager abuse AsiaCCS 2014, Kyoto Ben Stock, Martin Johns
  2. 2. Agenda ●  Basics on Password Managers ●  Intention & Implementation ●  Automating attacks on Password Managers ●  Analysis of browsers and applications ●  Analysis of built-in password managers ●  Study of password fields on the Web ●  Our proposal to a more secure password manager ●  Summary & Conclusion 2
  3. 3. Password managers and attacks against them
  4. 4. Password managers ●  In a perfect world... one password per site ●  hard task to remember multiple complex passwords ●  Solution: password managers ●  take burden to remember these passwords off the user ●  Implementation in two locations 1.  submitting a form è ask user to save password 2.  loading a form è fill in user and password 4 host=http://localhost, user=user1, pwd=secret 1 2
  5. 5. Password manager security issues ●  Password manager detects form ●  looks up stored credentials ●  inserts them into form (and thus the DOM) ●  DOM is accessible by JavaScript ●  both benign code and XSS payloads ●  Attacker code may access field data (in clear text) 5
  6. 6. Automating attacks ●  Consider XSS attacker (similarly for network attacker) ●  capable of injecting HTML markup (and JavaScript code) 1.  inject form with user/password fields 2.  wait for the Password Manager to fill out form 3.  retrieve credentials and send them to the attacker 6 Password   Manager   A.acker   Code  
  7. 7. Ninja exploitation 7 h.p://ki.enpics.org   Password   Manager   A.acker   Code  
  8. 8. Factors for a successful attack ●  URL matching ●  is XSS on any document on the domain sufficent? ●  Form matching ●  can we use a minimal form to easily automate attacks? ●  Autofilling in frames ●  can we exploit multiple domains the same time? ●  User interaction ●  can we fully automate the attack? ●  Autocomplete attribute ●  can a Web site opt out of password storage? 8
  9. 9. Analysis of browsers and applications
  10. 10. What we learned thus far... ●  Automated attacks are dependent on ●  password manager implementations ●  Web application implementation ●  autocomplete=off! ●  (delivery  over  HTTPS)   ●  Two analyses to conduct ●  Password manager implementations ●  Chrome, Firefox, IE, Safari, Opera and Maxthon ●  Analysis of password fields on the Web ●  Secure delivery, autocomplete, ... 10
  11. 11. Highlights of built-in password managers* 11 ●  URL matching ●  only IE stores the URL, Maxthon does not even store protocol or port ●  Form matching ●  no browser stored structure/target URL ●  Autofilling in frames ●  only IE refuses to insert credentials into frames ●  User interaction ●  only IE requires user interaction ●  Autocomplete attribute ●  Chrome, Opera and Maxthon do not adhere to autocomplete *refer to the paper for the complete analysis
  12. 12. Analysis of password fields on the Web ●  Crawl of Alexa Top 4000 ●  natural languages matching to detect login forms ●  wrapping getter for password fields to detect access 12 Characteris*c   #  Sites   %  rel.   %  abs.   Password  field   2,143   100%   53,6%   Form  on  HTTPS  page   821   38,3%   20,5%   AcMon  on  HTTPS  page   1,197   55,9%   29,9%   Autocomplete  off   293   13,6%   7,3%   JavaScript  access   325   15,1%   8,1%  
  13. 13. Summarizing our findings ●  Password managers are quite relaxed in matching criteria ●  XSS on same-domain is sufficient for all but IE ●  Chrome, Opera and Maxthon don't adhere to autocomplete ●  Password fields are meant to work with managers ●  only 13,6% opt-out with autocomplete=off! èPassword managers need to be protected against XSS attackers 13
  14. 14. Building a secure password manager
  15. 15. Mismatch in notion/implementations ●  Password Managers should aid in authentication ●  Authentication: "Credentials are sent to the server" ●  Implementation: "Credentials are inserted into forms and then sent to the server" ●  We propose to align implementation with notion 15
  16. 16. Our proposed solution 16 Password Username Pwd   Mgr   Password Nonce Username Username Pwd   Mgr   Password Username Nonce Username Pwd   Mgr  
  17. 17. Constraints for this approach ●  Potential pitfalls ●  Attacker changes a form's target ●  posting data to his own server / a page that reflects the content ●  Attacker changes method to GET ●  .. and subsequently reads the URL to which a frame was redirected ●  Proposed constraints ●  strict checking of form target URL ●  exchanging nonce only in POST parameters 17
  18. 18. PoC Implementation Our ExtensionPassword Manager host=http://localhost, user=user1, pwd=secret host=http://localhost, user=user1, pwd=nonce 1 2 3 18
  19. 19. PoC Implementation POST /login.php Data: user=user1&pwd=nonce POST /login.php Data: user=user1&pwd=secret Our Extension POST /search.php Data: user=user1&query=nonce POST /search.php Data: user=user1&query=nonce 19
  20. 20. Functional evaluation ●  325 domains used JavaScript to access password fields ●  229 domains only check that field is not empty ●  96 domains send password via XHR ●  23 domains hash password before sending it out ●  1 domain applies base64 encoding ●  6 domains send password in GET parameters ●  30/2143 domains have issues with our solution ●  98,6% of all domains we analyzed work just fine ●  storing passwords in XHRs is not currently supported by browsers 20
  21. 21. Summary and Conclusion
  22. 22. Summary & Conclusion ●  Most current implementations of password managers allow for automatic stealing of passwords ●  Cause: passwords are inserted into forms ●  not into outgoing request ●  We propose alignment of notion and implementation ●  PoC implemented as a Firefox extension ●  working with 98,6% of domains we analyzed 22
  23. 23. Thank you for your attention! Special thanks to my student workers Eric Schmall and Armin Stock ●  @kcotsneb ●  http://kittenpics.org ●  ben.stock@fau.de
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×