In this presentation from Triangle Infosecon 2011, we discuss common web application vulnerabilities which could be leveraged for social engineering attacks.
Web Application Social Engineering Vulnerabilities
1. Web Application Social Engineering
Vulnerabilities
Matt Cooley
Lead Security Advisory Analyst
Symantec Security Strategy & Advisory Services
2. Agenda
1 Overview
2 Homograph Attacks
3 Web Application Vulnerabilities
4 Demonstration
Web Application Social Engineering Vulnerabilities 2
3. Presentation Overview
• This presentation will demonstrate some attacks that can be
used to target users and administrators of web applications.
• You will learn techniques attackers use to steal money and
sensitive data while going undetected.
Web Application Social Engineering Vulnerabilities 3
4. Domain Spoofing
Homograph Attacks
Web Application Social Engineering Vulnerabilities 4
5. Domain Name Spoofing
• Wait, that’s not a web application vulnerability
• No, but it’s a tool in our toolbox which we will use to make our
attacks more convincing
Web Application Social Engineering Vulnerabilities 5
6. Internationalized Domain Names (IDN)
http
http://例子.测试
http://παράδειγμα.δοκιμή
http://пример.испытание
http
Web Application Social Engineering Vulnerabilities 6
7. The problem is, this is also an Internationalized Domain Name:
miсrоsоft.com
This is not:
microsoft.com
Web Application Social Engineering Vulnerabilities 7
9. Homograph Attacks – A Brief History
2002 – Paper by Gabrilovich and Gontmakher
• Revealed that it was possible to register a domain containing
non-Latin characters which would appear indistinguishable from
a legitimate domain name.
microsoft.com (authentic)
miсrоsоft.com (Russian letters ‘c’ and ‘o’)
• с = Unicode Character 'CYRILLIC SMALL LETTER ES' (U+0441)
• о = Unicode Character 'CYRILLIC SMALL LETTER O' (U+043E)
http://www.cs.technion.ac.il/~gabr/papers/homograph.html
Web Application Social Engineering Vulnerabilities 9
10. Web Browsers Were Fixed.. Kinda
2005 – Shmoo Group revisits homograph attacks
• Found that homograph attack prevention in browsers was
applied inconsistently and spoofing issues could be exploited in
Firefox, Safari, and Opera
www.paypal.com (the real site)
• a = Unicode Character 'LATIN SMALL LETTER A' (U+0061)
www.pаypal.com (Shmoo’s site)
• а = Unicode Character 'CYRILLIC SMALL LETTER A' (U+0430)
http://www.shmoo.com/idn/homograph.txt
Web Application Social Engineering Vulnerabilities 10
11. Still not fixed
2009 – Chris Weber discloses IDN spoofing issue with Safari
https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdf
http://support.apple.com/kb/ht3733
Web Application Social Engineering Vulnerabilities 11
12. Today
• All popular browsers implement their own policies for how
IDN’s should be displayed in the address bar
• If a Unicode IDN doesn’t pass the browser’s policy for display, it
will be displayed in Punycode – should raise suspicion
• Safari and mobile Safari have more permissive rules than
Chrome, Firefox, Internet Explorer
http://www.idnnews.com/?p=8760
Web Application Social Engineering Vulnerabilities 12
13. These are all the same domain
Chrome 14.0 Windows
Firefox 7.0 Windows
Internet Explorer 9.0 Windows
Android 2.2
Safari 5.1 Windows
Safari 5.0.2 iPhone
Opera Mini 6.0 iPhone
Web Application Social Engineering Vulnerabilities 13
14. Safari’s IDN Handling Policy
• There is a white list file containing permitted IDN character sets.
It is up to the user to maintain the list
• /System/Library/Frameworks/WebKit.framework/Versions/A/R
esources/IDNScriptWhiteList.txt
• C:Program FilesSafariSafari.resourcesIDNScriptWhiteList.txt
http://support.apple.com/kb/TA22996
Web Application Social Engineering Vulnerabilities 14
15. Safari’s White List
# Default Web Kit International Domain Name Script White List.
Common
Inherited
Arabic
Armenian
Bopomofo
Canadian_Aboriginal
Devanagari
Deseret
Gujarati
Gurmukhi
Hangul
Han
Hebrew
Hiragana
Katakana_Or_Hiragana
Katakana
Latin
Tamil
Thai
Yi
Web Application Social Engineering Vulnerabilities 15
16. Safari has the Weakest IDN Spoofing Protection Policy
• So let’s attack Safari
Web Application Social Engineering Vulnerabilities 16
17. My first attempt
• sỵmantec.com
• xn--smantec-h64c.com (Punycode)
• ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT
BELOW”
Web Application Social Engineering Vulnerabilities 17
18. Somewhat Convincing Spoof in both Punycode and
Native Character Formats
• xn--microsoft-msft.com (Punycode)
• micro̦so̤ft.com
• Instead of gibberish in the Punycode format, the text “msft” is used
(stock symbol for Microsoft)
• If the victim opens the URL in a browser that shows Punycode, they
will see this:
• Otherwise, they will see this:
Web Application Social Engineering Vulnerabilities 18
19. Hmm.. This is interesting
• sy̲mantec.com
• xn--symantec-rcf.com (Punycode)
• Unicode 0x0332 “COMBINING LOW LINE”
• Safari in Windows 7 - Underline doesn’t display:
Achievement unlocked!
Web Application Social Engineering Vulnerabilities 19
20. A fix?
Removing “Latin” from the Safari IDN white list causes this:
To become this:
Web Application Social Engineering Vulnerabilities 20
21. IDN Spoofing on iOS Devices
The following Unicode characters are not displayable on iOS
devices, but can be registered within an IDN:
夆 U+5906
悞 U+609E
暵 U+66B5
煒 U+7152
譿 U+8B7F
驊 U+9A4A
Bonus: They are allowed by Safari’s default white list (Han)
Web Application Social Engineering Vulnerabilities 21
22. iOS IDN Spoofing Proof of Concept
• www.apple夆.com
• www.xn--apple-c94i.com (Punycode)
Mobile Safari:
Opera Mini:
Web Application Social Engineering Vulnerabilities 22
23. Another Neat Trick.. Dot.. Dot.. Dot..
• So I was at a restaurant and scanned the QR code on a bottle of
ketchup with an iPhone.
Web Application Social Engineering Vulnerabilities 23
24. We can register one domain and spoof everything!
• 夆. 夆. 夆. 夆.夆夆.com
• xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com
• www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--
rrs.xn--rrsa.com
Web Application Social Engineering Vulnerabilities 24
25. iOS Fix?
• Apple provides a mechanism for preventing native IDN display
with undesirable character sets
• So let’s just remove “Han” from the white list file… oh wait
Web Application Social Engineering Vulnerabilities 25
26. QR Codes
Let me show you my QR codes
Web Application Social Engineering Vulnerabilities 26
28. Combining Homograph Attack with QR Codes
• Replace legit QR code with malicious QR code
• Victim scans malicious QR code and browser is redirected to
attacker’s URL
• Attacker’s server examines user agent header
• If it is not a vulnerable device, forward them to a legitimate site
• Otherwise, spoof the domain and capture info (PROFIT!!!)
Web Application Social Engineering Vulnerabilities 28
31. Arbitrary URL Redirection
• A common web application vulnerability which can be used to
coerce victims into clicking a malicious link
• http://<target site>/redirect?url=http://<attacker’s site>
• Because the host name in the URI is legitimate, it should pass
the trust test
• OWASP refers to this vulnerability as “Open redirect”
• The difficulty in using this as an exploit is in hiding the true
nature of the URL: that it’s directing you to somewhere bad
https://www.owasp.org/index.php/Open_redirect
Web Application Social Engineering Vulnerabilities 31
32. URL Redirection with Percent Encoding Obfuscation
Before:
• http://ourcompany.com/wordpress/wp-
login.php?redirect_to=http://evilhost.com
After:
• http://ourcompany.com/wordpress/wp-
login.php?%72%65%64%69%72%65%63%74%5F%74%6F=%68%
74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E%
63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Adminis
trator
Web Application Social Engineering Vulnerabilities 32
33. URL Redirection with IDN Spoofing
• http://ourcompany.com/wordpress/wp-
login.php?redirect_to=http://ourcompanỵ.com/wordpress/mai
n
Or if targeting iPhone readers:
• http://ourcompany.com/wordpress/wp-
login.php?redirect_to=http://ourcompany.com.xn--
ourcompany-wr7r.com/wordpress/main
(xn--ourcompany-wr7r.com = ourcompany夆.com)
Web Application Social Engineering Vulnerabilities 33
34. URL Redirection Triple Threat
• http://ourcompany.com/wordpress/wp-
login.php?redirect_to=http://ourcompany.com〳error-
%61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6
E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encodin
g_Error
• This is the redirection target:
• http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany-
wr7r.com/
• Use TinyURL to wrap it all up into a nice gift
Web Application Social Engineering Vulnerabilities 34
37. Cross-Site Scripting Attack Vectors
Old School:
• Capture session identifiers to hijack session
Middle School:
• Capture keystrokes to steal valid credentials and sensitive
information
Cool School:
• Compromise a fully patched and secured host
Web Application Social Engineering Vulnerabilities 37
38. BeEF Demonstration
• Leverage cross-site scripting to log keystrokes on an iPhone
Web Application Social Engineering Vulnerabilities 38
39. BeEF Details
• Included in BackTrack
• Works best when used with a persistent cross-site scripting
vulnerability
• BeEF is a good resource to demonstrate bad things you can do
with JavaScript
• Useful as a proof of concept tool
Web Application Social Engineering Vulnerabilities 39
41. Social Engineering Toolkit (SET)
• One of the best ways to remotely compromise a fully patched,
fully protected host
• The Java Applet web attack vector will get through just about
anything
• Setup a SET listener on external host
• Send victim a URL redirect / put link on twitter or Facebook
• Use with XSS
Web Application Social Engineering Vulnerabilities 41
42. Mega Demo
• Leveraging everything we’ve learned
• Persistent XSS redirects user to Wordpress login – steals
credentials with keystroke logger
• Wordpress site then redirects to SET Java applet page
• SET host has an IDN hostname
• Windows 7 host is compromised
Web Application Social Engineering Vulnerabilities 42
This is a sample Agenda/Preview slide. This slide is ideal for setting the scene at the beginning of your presentation by providing a big picture overview of what you plan to cover. To Change Titles in Shapes (i.e.: “Text here”):Select text. (Optional: Press Delete.) Begin typing desired text.To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar. Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab.To Change a Shape’s Fill Color:Select the desired object by clicking once on its edge. On the Home tab, click the Shape Fill button within the Drawing group to select a theme color from the Symantec color palette. To Delete a Shape:Select the desired object by clicking once on its edge. Press the Delete key on your keyboard.To Copy a Text Box or Shape:Select the text box or shape. Note: Make sure to select the entire object, not just the text, by clicking the edge of the text box or shape.Type Ctrl C (copy), click outside object, then type Ctrl V (paste) to place the object. Click and drag the pasted object to desired location.