Thursday, March 4, 2010

New technique to be released for Attacking JAVA Serialized Communication at Black Hat Europe 2010

Hey guys, this year Black Hat Europe is happening at Barcelona, Spain and I will be presenting there for the first time. The topic that I'm speaking on is "Attacking JAVA Serialized Communication". You can read the abstract here. There is an interesting aspect behind this topic. To give you a short background, I usually conduct trainings on Secure Code Development for JAVA developers and Security Testing for QA testers. During one of the lectures, while I was explaining parameter tampering on web applications using interception proxies, one of the developers asked me how I can accomplish the same on thick clients which normally transfer data as serialized objects. At that moment, I could only show how to modify hex bytes for simple strings. But then he started arguing that usually in large enterprise applications the variables themselves are complex objects and not simple strings.

I was stumped. I did not have a clear-cut solution (though I knew it is possible) to explain to him that this can be done. I started searching the internet for articles explaining this, but couldn't find anything conclusive enough. I have been working on this since December last year and finally perfected the concept and wrote a plug-in for BurpSuite as a PoC to explain how easy it is. I would like to thank Eric and Shay for some wonderful work they have done which has helped me in achieving this goal.

At Black Hat I will be explaining how this can be achieved and what are the various problems currently faced by pentesters while testing applications using serialized communication. If you are visiting Black Hat this year at Barcelona, I would be happy to meet you and share some thoughts on similar topics. Looking forward to socializing with some great people there and gaining some new insights on current security trends.

Tuesday, March 2, 2010

Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution

This idea occurred to me a few weeks back when discussing the potential impact of ClickJacking attacks with Luca. Submitting forms using ClickJacking is hard work and is only successful in very rare scenarios. The Twitter ClickJacking attack was one famous instance where form submission was involved, but it was a form that was submitted over ‘GET’ request.

In this post I will discuss a technique that can be used to bypassing any CSRF counter measures and submit POST method -based forms with attacker controlled data using ClickJacking. This works on JSP applications and partially on ASP.NET applications.

Let us take the case of a simple primary Email ID update form. Such forms are common in many web applications. They are simple but extremely important, if an attacker manages to force a victim to update his primary Email ID with that of the attacker’s ID then the attacker can perform a password reset and compromise the victim’s account.

A sample Email ID update form is given below, this contains a ‘csrf-token’ parameter for CSRF protection:

<form method="POST">
<input type="text" name="email" value=””></input>
<input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/>
</form>

Let’s say this form is available at 'www.example.com/updateEmail.jsp'
Since this form does not contain an ‘action’ attribute, on submission the form will be submitted to the current URL in the address bar, which will be ‘www.example.com/updateEmail.jsp’.

The source code of 'updateEmail.jsp' would typically look like this:

if ( request.parameter("email").isSet() && request.parameter("csrf-token").isValid() )
{
//process the form and update the email ID
}
else
{
//display an empty form to the user (CSRF token included)
}

The application checks if the request contains a valid CSRF token, if not it displays the form to the user.

Now to submit our sample form using ClickJacking the attacker can include an iframe like this
'<iframe src=”http://www.example.com/updateEmail.jsp?email=evil@attackermail.com”>'

When this request goes to the server the application would display the update form. When this form is submitted by the victim using ClickJacking the request that is sent to the server is like this:

POST /updateEmail.jsp?email=evil@attackermail.com HTTP/1.1
Host: www.example.com

email=&csrf-token=a0a0a0a0a0

Since the form was not filled by the victim, the email parameter in the POST body is blank. However since the action attribute of the form was empty the form is submitted to www.example.com/updateEmail.jsp?email=evil@attackermail.com. Now the QueryString contains the attacker entered value for the ‘email’ parameter.

This request contains two values for the ‘email’ parameter, one in POST body and one in QueryString. Enter HTTP Parameter Pollution, when the server side JSP code calls request.parameter("email"), the value that is returned is the one in the QueryString and not the POST body. Since this value can be controlled by the attacker he can trick the victim in to updating his account with the attacker’s mail ID.

This attack can also work in cases when the form is submitted with JavaScript like this:

<form onSubmit=process()>
<input type="text" name="email" value=""></input>
<input type="hidden" name="csrf-token" value="a0a0a0a0a0a">
</form>

<script>
function process()
{
//check if email is set
form.action = document.location; //document.location will give out the entire URL with parameters
form.method = "post";
form.submit();
}
</script>

Apart from JSP applications, this attack can be extended to ASP.NET applications as well.
However since ASP.NET appends a ‘,’(comma) between duplicate parameters, it not as clean. But there are plenty of areas where having a trailing ‘,’ won’t hurt. In ASP.NET applications the form action is always set by the framework because of the 'runat="server"' attribute. The only requirement now is that the application should make use of Request.Params. Even if the application does not use Request.Params, forms submitted over 'GET' are still vulnerable. So all ASP.NET application using Request.Params or submitting forms over 'GET' are vulnerable to this attack!

Similar attack is also possible on ASP applications where the form element is of the form described earlier and if it is submitted over 'GET'. Like ASP.NET application a trailing comma is introduced here as well. A more detailed description of HTTP Parameter Pollution on ASP and ASP.NET applications and the significance of Request.Params is explained here. This whitepaper discusses how HPP can be used to bypass WAF.

Imposter and Whitepapers released

This is it folks! Finally Imposter is available for download. I have put up a short tutorial on how to use it along with some videos of the attacks.
I am also releasing two white papers:
Flash+IE=Prison Break – Explains the File Stealing attack against Internet Explorer in detail.
Google Gears for Attackers – Explains the different browser phishing attacks that can be performed against user of Google Gears.
Source code of the File Stealing exploit is also online for the sake of the more curious amongst us.
Would love to hear your feedback on the tool and the papers.