Web Application Social Engineering Vulnerabilities

Web Application Social Engineering Vulnerabilities

Matt CooleyLead Security Advisory AnalystSymantec Security Strategy & Advisory Services

Web Application Social Engineering Vulnerabilities

Agenda

2

Overview1

Homograph Attacks2

Web Application Vulnerabilities3

Demonstration4

Web Application Social Engineering Vulnerabilities 3

Presentation Overview• This presentation will demonstrate some attacks that can be

used to target users and administrators of web applications.

• You will learn techniques attackers use to steal money and sensitive data while going undetected.


Domain Spoofing

Homograph Attacks


Domain Name Spoofing• Wait, that’s not a web application vulnerability• No, but it’s a tool in our toolbox which we will use to make our

attacks more convincing


Internationalized Domain Names (IDN)

http:// إختبار. مثال

http://例子 .测试http://παράδειγμα.δοκιμή

http://пример.испытание

http:// טעסט. יל בַײשּפ�


The problem is, this is also an Internationalized Domain Name:

miсrоsоft.com

This is not:

microsoft.com


When Homographs Attack


Homograph Attacks – A Brief History

2002 – Paper by Gabrilovich and Gontmakher• Revealed that it was possible to register a domain containing

non-Latin characters which would appear indistinguishable from a legitimate domain name.

microsoft.com (authentic)

miсrоsоft.com (Russian letters ‘c’ and ‘o’)• с = Unicode Character 'CYRILLIC SMALL LETTER ES' (U+0441)• о = Unicode Character 'CYRILLIC SMALL LETTER O' (U+043E)

http://www.cs.technion.ac.il/~gabr/papers/homograph.html


Web Browsers Were Fixed.. Kinda

2005 – Shmoo Group revisits homograph attacks• Found that homograph attack prevention in browsers was

applied inconsistently and spoofing issues could be exploited in Firefox, Safari, and Opera

www.paypal.com (the real site)• a = Unicode Character 'LATIN SMALL LETTER A' (U+0061)

www.pаypal.com (Shmoo’s site)• а = Unicode Character 'CYRILLIC SMALL LETTER A' (U+0430)

http://www.shmoo.com/idn/homograph.txt


Still not fixed

2009 – Chris Weber discloses IDN spoofing issue with Safari

https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdfhttp://support.apple.com/kb/ht3733


Today• All popular browsers implement their own policies for how

IDN’s should be displayed in the address bar• If a Unicode IDN doesn’t pass the browser’s policy for display, it

will be displayed in Punycode – should raise suspicion• Safari and mobile Safari have more permissive rules than

Chrome, Firefox, Internet Explorer

http://www.idnnews.com/?p=8760


Chrome 14.0 Windows

Firefox 7.0 Windows

Internet Explorer 9.0 Windows

Safari 5.1 Windows

Safari 5.0.2 iPhone

Android 2.2

Opera Mini 6.0 iPhone

These are all the same domain


Safari’s IDN Handling Policy• There is a white list file containing permitted IDN character sets.

It is up to the user to maintain the list• /System/Library/Frameworks/WebKit.framework/Versions/A/

Resources/IDNScriptWhiteList.txt• C:\Program Files\Safari\Safari.resources\IDNScriptWhiteList.txt

http://support.apple.com/kb/TA22996


Safari’s White List# Default Web Kit International Domain Name Script White List.

CommonInherited

ArabicArmenianBopomofoCanadian_AboriginalDevanagariDeseretGujaratiGurmukhiHangulHanHebrewHiraganaKatakana_Or_HiraganaKatakanaLatinTamilThaiYi


Safari has the Weakest IDN Spoofing Protection Policy• So let’s attack Safari


My first attempt

• sỵmantec.com• xn--smantec-h64c.com (Punycode)• ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT BELOW”


Somewhat Convincing Spoof in both Punycode and Native Character Formats

• xn--microsoft-msft.com (Punycode)• micr s ft.como̦� o̦�• Instead of gibberish in the Punycode format, the text “msft” is used (stock

symbol for Microsoft)• If the victim opens the URL in a browser that shows Punycode, they will see

this:

• Otherwise, they will see this:


Hmm.. This is interesting

• sykmantec.com• xn--symantec-rcf.com (Punycode)• Unicode 0x0332 “COMBINING LOW LINE”• Safari in Windows 7 - Underline doesn’t display:

Achievement unlocked!


A fix?

Removing “Latin” from the Safari IDN white list causes this:

To become this:


IDN Spoofing on iOS Devices

The following Unicode characters are not displayable on iOS devices, but can be registered within an IDN:

夆 U+5906

悞 U+609E

暵 U+66B5

煒 U+7152

譿 U+8B7F

驊 U+9A4A

Bonus: They are allowed by Safari’s default white list (Han)


iOS IDN Spoofing Proof of Concept• www.apple夆 .com• www.xn--apple-c94i.com (Punycode)

Opera Mini:

Mobile Safari:


Another Neat Trick.. Dot.. Dot.. Dot..• So I was at a restaurant and scanned the QR code on a bottle of

ketchup with an iPhone.


We can register one domain and spoof everything!• 夆 . 夆 . 夆 . 夆 .夆夆 .com• xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com• www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--

rrs.xn--rrsa.com


iOS Fix?• Apple provides a mechanism for preventing native IDN display

with undesirable character sets• So let’s just remove “Han” from the white list file… oh wait


QR Codes

Let me show you my QR codes



Combining Homograph Attack with QR Codes• Replace legit QR code with malicious QR code• Victim scans malicious QR code and browser is redirected to

attacker’s URL• Attacker’s server examines user agent header• If it is not a vulnerable device, forward them to a legitimate site• Otherwise, spoof the domain and capture info (PROFIT!!!)


american.xn--redcross-vr0o.comamerican.redcross夆 .com


Web Application Vulnerabilities

Arbitrary URL Redirection


Arbitrary URL Redirection• A common web application vulnerability which can be used to

coerce victims into clicking a malicious link• http://<target site>/redirect?url=http://<attacker’s site>• Because the host name in the URI is legitimate, it should pass

the trust test• OWASP refers to this vulnerability as “Open redirect”• The difficulty in using this as an exploit is in hiding the true

nature of the URL: that it’s directing you to somewhere bad

https://www.owasp.org/index.php/Open_redirect


URL Redirection with Percent Encoding Obfuscation

Before:• http://ourcompany.com/wordpress/wp-login.php?

redirect_to=http://evilhost.com

After:• http://ourcompany.com/wordpress/wp-login.php?

%72%65%64%69%72%65%63%74%5F%74%6F=%68%74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E%63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Administrator


URL Redirection with IDN Spoofing• http://ourcompany.com/wordpress/wp-login.php?

redirect_to=http://ourcompanỵ.com/wordpress/main

Or if targeting iPhone readers:• http://ourcompany.com/wordpress/wp-login.php?

redirect_to=http://ourcompany.com.xn--ourcompany-wr7r.com/wordpress/main

(xn--ourcompany-wr7r.com = ourcompany夆 .com)


URL Redirection Triple Threat• http://ourcompany.com/wordpress/wp-login.php?redirect_to=http://ourcompany.com〳 error-%61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encoding_Error

• This is the redirection target:• http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany-

wr7r.com/• Use TinyURL to wrap it all up into a nice gift


Web Application Vulnerabilities

Cross-Site Scripting


Cross-Site Scripting (XSS)


Cross-Site Scripting Attack Vectors

Old School:• Capture session identifiers to hijack session

Middle School:• Capture keystrokes to steal valid credentials and sensitive

information

Cool School:• Compromise a fully patched and secured host


BeEF Demonstration• Leverage cross-site scripting to log keystrokes on an iPhone


BeEF Details• Included in BackTrack• Works best when used with a persistent cross-site scripting

vulnerability• BeEF is a good resource to demonstrate bad things you can do

with JavaScript• Useful as a proof of concept tool


Social Engineering Toolkit


Social Engineering Toolkit (SET)• One of the best ways to remotely compromise a fully patched,

fully protected host• The Java Applet web attack vector will get through just about

anything• Setup a SET listener on external host• Send victim a URL redirect / put link on twitter or Facebook• Use with XSS


Mega Demo• Leveraging everything we’ve learned• Persistent XSS redirects user to Wordpress login – steals

credentials with keystroke logger• Wordpress site then redirects to SET Java applet page• SET host has an IDN hostname• Windows 7 host is compromised


Tools Used

Thank you!


Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

[email protected]

http://www.symantec.com/connect/symantec-blogs/the-security-advisor

Technology

Web Application Social Engineering Vulnerabilities