Hta t07-did-you-read-the-news-http-request-hijacking

625 views

Published on

Hta t07-did-you-read-the-news-http-request-hijacking

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
625
On SlideShare
0
From Embeds
0
Number of Embeds
94
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hta t07-did-you-read-the-news-http-request-hijacking

  1. 1. DID YOU READ THE NEWS? HTTP REQUEST HIJACKING Yair Amit (@yairam) CTO & co-founder, Skycure Adi Sharabani (@adish) CEO & co-founder, Skycure Session ID: HTA-­‐T07   Session Classification: © 2013 Skycure
  2. 2. About the Presenters ▶  Yair Amit ▶  Adi Sharabani ▶  CTO & co-founder of Skycure ▶  Web, network and mobile researcher ▶  Inventor of 15+ patents ▶  Former manager of the Application Security & Research group at IBM #RSAC ▶  CEO & co-founder of Skycure ▶  Watchfire's research group [Acquired by IBM] ▶  Lead the security of IBM software ▶  Teacher at Ohel Shem high-school #Skycure
  3. 3. Agenda ▶  Background ▶  The Skycure Journal ▶  HTTP Request Hijacking ▶  Demonstration ▶  Impact ▶  Extensions to the attack ▶  Malicious Profiles ▶  Captive Networks ▶  Remediation #RSAC #Skycure
  4. 4. Want to participate? ▶  Ever wanted to be an editor of a newspaper? ▶  Tweet with #skycure during this presentation #RSAC #Skycure
  5. 5. Man in the Middle Challenges Temporal   Cache  Poisoning   Persistent   Sta>c   JavaScript   Dynamic   HTTP   SSLStrip   HTTPS   Specific   User  Ac>on   Ac>ve  Man  in  the  Middle   No  Ac>on   Required   Browsers   #RSAC #Skycure
  6. 6. Man in the Middle Challenges Hybrid  Mobile  Apps   Impact  increases:   Control  is  not  just  over  the   browser,  but  could  “hop”   to  na>ve  capabili>es   Na>ve  Mobile  Apps?   Hybrid  apps  rely  on  a   “browser”  technology   Can  a  dynamic  aSack   happen  here?   Browsers   #RSAC #Skycure
  7. 7. HTTP REQUEST HIJACKING “We accept the reality of the world with which we are presented, it's as simple as that.” - Christof, The Truman show #RSAC
  8. 8. Native Mobile Apps Request  for  content,  command     &  control,  configura>on,  etc.   Response  with  the  data   #RSAC #Skycure
  9. 9. The Skycure Journal ▶  While very basic, The Skycure Journal operates in a similar way to most major news apps: ▶  Load A JSON formatted feed ▶  Parse it ▶  Display to the reader… Code available at: hSps://github.com/skycure/Skycure_news   #RSAC #Skycure
  10. 10. Into the Code / Objective-C - (void)fetchArticles   {   NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   ! [request setValue:@"application/json” ! forHTTPHeaderField:@"Content-Type"];     self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self];   }     #RSAC #Skycure
  11. 11. HTTP Request Hijacking Let’s look at the actual network traffic... #RSAC #Skycure
  12. 12. HTTP Request Hijacking -  (void)fetchArticles   {   NSURL *serverUrl = ! @"http://journal.skycure.com"   [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   ! HTTP  Request   [request setValue:@"application/json” ! Hijacking   forHTTPHeaderField:@"Content-Type"];     self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self];   }     NSURL *serverUrl =! [NSURL URLWithString:@"http://attacker.site/skycureJournal"];   @"http://attacker.site/skycureJournal"   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   #RSAC #Skycure
  13. 13. HTTP Request Hijacking Question: How is that done? Answer: Very simple! #RSAC #Skycure
  14. 14. RFC of 301 Moved Permanently “10.3.2 301 Moved Permanently The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.” Source:  RFC  2616  Fielding,  et  al #RSAC #Skycure
  15. 15. 301 Moved Permanently ▶  “If you need to change the URL of a page as it is shown in search engine results, we recommend that you use a server-side 301 redirect.” (Google help page) ▶  Usage examples: ▶  Moving to a new domain ▶  Merging two websites ▶  Useful for the web, bad for mobile apps #RSAC #Skycure
  16. 16. HRH – Attack Flow A  while  later,   vic>m  opens  the  app   Vic8m  opens  the  app  in  an   untrusted  environment   App  logic  has   changed!   ASacker  returns  a  301   direc>ve  specifying  a   permanent  change  in  URI   App  con>nues  to  connect  to   the  malicious  server!   Malicious  server  can   return  actual  results   from  the  target  server   Vic>m  interacts  with  the   malicious  server   #RSAC #Skycure
  17. 17. HTTP Request Hijacking ▶  Requests can be hijacked! ▶  Seamlessly ▶  Permanently ▶  App logic practically changes ▶  Hidden ▶  Hard to remove #RSAC #Skycure
  18. 18. HRH - Demo This is where you get to dictate the news… #RSAC #Skycure
  19. 19. Impact - Example #RSAC #Skycure
  20. 20. Challenges [1-2] ▶  Some limitations: ▶  Attack is only effective on HTTP ▶  Attacker has to be nearby the victim Answer: Malicious profiles! #RSAC #Skycure
  21. 21. Malicious Profiles ▶  Configuration profiles are a great mechanism to configure iOS devices ▶  However… they might be used for bad deeds: ▶  Tunnel all traffic through remote servers ▶  Install a root certificate ▶  Recently uncovered by Skycure #RSAC #Skycure
  22. 22. Malicious Profiles Demo #RSAC #Skycure
  23. 23. HRH + Malicious profiles ▶  Impact ▶  HRH Extended to HTTPS ▶  HRH can be carried from a different continent #RSAC #Skycure
  24. 24. Challenge [3] ▶  Challenge: ▶  Victim has to open the vulnerable app in the malicious network Answer: Captive! #RSAC #Skycure
  25. 25. Captive to the Rescue ▶  Captive to the rescue: ▶  Victim auto-connects to a network ▶ Pineapple, WifiGate, etc. ▶  Attacker remotely opens an arbitrary application ▶  Vulnerable app gets infected Demo #RSAC #Skycure
  26. 26. Putting it All Together ▶  Generalizing the attack: ▶  Automate an attack on a huge amount of people ▶  Plant malicious code today, perform the attack tomorrow #RSAC #Skycure
  27. 27. HRH-Persister – A Testing Tool ▶  Step 1 (Infect): ▶  Set up a proxy ▶  Open Tested app ▶  Return 301 for every GET request with an identification ▶ Identification could be a domain, sub-domain, path, etc. ▶  For the second “redirected” request, return the original response ▶  Step 2 (detect): ▶  Close the Tested app ▶  Open it again ▶  Look for requests with the identification value #RSAC #Skycure
  28. 28. Vulnerable Apps ▶  We tested a bunch of high profile apps ▶  Almost half of them were susceptible to HRH ▶  Responsible disclosure challenge: we cannot identify and contact all affected vendors #RSAC #Skycure
  29. 29. Developers - Best Practice ▶  Communicate via HTTPS instead of HTTP: ▶  Highly recommended ▶  Effective mitigation, not a fix #RSAC #Skycure
  30. 30. Developers - Best Practice ▶  Caching helps with performance ▶  However, it could lead to security threats ▶  Refrain from using caching in critical logic of the application when not needed* NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl! cachePolicy:NSURLRequestReloadIgnoringLocalAndRemoteCacheData! timeoutInterval:60.0];   #RSAC #Skycure
  31. 31. Developers – Remediation ▶  Change your cache policies to prevent 301 caching ▶  Impact ▶  Practically, remove support for 301 handling in mobile applications ▶  In most cases this is a acceptable ▶  We are talking about apps. If the developer wants to move to a new a page moves permanently, the developer can always update the app itself. #RSAC #Skycure
  32. 32. Developers – Remediation (cont.) @interface HRHResistantURLCache : NSURLCache   @end   @implementation HRHResistantURLCache!  ! - (void) storeCachedResponse:(NSCachedURLResponse *)cachedResponse! forRequest:(NSURLRequest *)request! {! NSInteger statusCode = ! [(NSHTTPURLResponse *)cachedResponse.response statusCode];! ! if (301 == statusCode)! {! return;! }! [super storeCachedResponse:cachedResponse forRequest:request];! }! @end ! #RSAC #Skycure
  33. 33. Developers – Remediation (cont.) ▶  Set the new cache policy to be used by the app ▶  Making sure you place the initialization code before any request in your code. HRHResistantURLCache *myCache = [[HRHResistantURLCache alloc]   initWithMemoryCapacity:512000   diskCapacity:10000000   diskPath:@"MyCache.db"];     [NSURLCache setSharedURLCache:myCache];! Source:  hSp://www.skycure.com/blog/hSp-­‐request-­‐hijacking/   #RSAC #Skycure
  34. 34. End Users ▶  Let us know if you think you have been under attack ▶  Remove and reinstall app to ensure removal of the attack ▶  Always be sure to update your apps ▶  Especially in the near future ▶  Auto-update in iOS 7 #RSAC #Skycure
  35. 35. Organizations/CISOs/IT ▶  Implement a mobile security tool that provides both visibility and protection for mobile related threats #RSAC #Skycure
  36. 36. Future work ▶  Research: ▶  308, 302 + Cache-Control ▶  Other operating systems ▶  RFC: ▶  Create a mobile application specific RFC #RSAC #Skycure
  37. 37. Summary Temporal   Cache  Poisoning   Persistent   Sta>c   HRH   Dynamic   HTTP   Malicious  Profiles   HTTPS   Specific   User  Ac>on   Cap>ve   No  Specific   Ac>on  Required   Na>ve  Apps   #RSAC #Skycure
  38. 38. Summary ▶  Tip of the iceberg ▶  App-level security ▶  Check out our blog for more information: ▶  http://www.skycure.com/blog/http-request-hijacking/ #RSAC #Skycure
  39. 39. Thank  you!   Yair Amit, Adi Sharabani Skycure twitter: YairAmit, AdiSharabani {yair,adi}@skycure.com http://www.skycure.com #RSAC

×