Sunday, November 29, 2009

Browser Phishing Explained

With SecurityByte and OWASP AppSec Asia behind us, it’s time to publish the technical details of my talk. I will be doing it over a few blog posts. In this post I will explain what Browser Phishing is and why this particular term was chosen.

Any attack that exploits the browser's reliance on the ‘SameOriginPolicy’, to extract data controlled by the browser or compromise any feature of the browser without need for any user interaction or input can be called as Browser Phishing. Typically this would mean attacks on browser components that use ‘SameOriginPolicy’ as a means of access control. This includes, cookies, LocalSharedObjects, remember password feature, browser cache, Google Gears Database and LocalServer modules, HTML5's Session, Global, Local and Database Storage and Application Caching and other similar components. Browser phishing can be performed normally when the attacker is able to manipulate the victim’s DNS or HTTP traffic.

There are three primary circumstances under which browser phishing can be performed, these are:

1) Attacker has performed DNS cache poisoning on the DNS server used by the victim.

2) Attacker is able to perform MITM on the victim's HTTP traffic. Active MITM attack would fall in this category.

3) Attacker has control over the victim's gateway, typical example is an attacker controlled wireless access point. Karmetasploit and Imposter make use of this technique.

4) Attacker is able to poison the proxy’s cache through HTTP Response Splitting

The term ‘Browser Phishing’ is apt because this is a phishing attack against the browser. In a traditional phishing attack the user is duped in to believing that an attacker controlled site is the legitimate site. Attacker achieves this by designing a fake site that looks exactly like the original site and suitably masks the URL. Users identify a website based on its looks, this trust is abused to extract information like username, password and credit card details from the victims. Browser trust a site based on its domain name, when an attacker is able to make use of this trust and serve his malicious content under the legitimate domain name and extract data from the browser or abuse other features of the browser like placing backdoors then it’s a phishing attack performed against the browser and hence browser phishing.

This is a very old attack and Karmetasploit, which was released in 2008 can perform the cookie stealing and saved form data stealing attacks out of the box. It can be extended to perform attacks on the other components as well. Inspite of this there is very little attention given to this vector, largely due to the assumptions of limited impact and less probability of execution. In today's scenario such assumptions are completely misplaced. With Google Gears' and HTML5's client-side features, the impact of such an attack is equivalent to that of an account compromise if not greater. The extremely frequent use of public Wi-Fi based network access trend has greatly increased the probability of this attack being executed successfully. This vector should be taken into consideration when designing and developing applications and during security audits.

1 comment: