Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Reverse Session Fixation Attack
Posted by: clayfox
Date: June 15, 2009 09:45AM

I have been trying to find some use-cases for a rather odd type of attack. Here is the scenario: The attacker can authenticate the victim as the attacker. This is not necessarily to make the site mistrust the victim, but to force the victim to take actions under a known account. The primary vector I see here is being able to store a cookie or affix some session or authentication token to someone without their knowledge or consent (perhaps an XSS hole on the login page).

1.You could get them to buy something on an amazon.com-like site under an account you control and thus get it shipped to you.
2.You could take advantage of their trust in the site and attempt some type of phishing scam to harvest info from them. "Sir or Madam, please log in using this username and password to access your info. When you logon for the first time, please change the password." They would, of course, then change the password to their common password. You could go into this controlled account and have it email you your password if that's how password recovery worked on the site.
3. If the site had different account types, then you might be able to some type of forced privilege escalation. The attacker has a higher-level account that let's them store their credit card number. The victim can't on their usual session, but if tricked into being on the attacker's session, they can.
4. You could get the victim to take an action for you and then repudiate it later. This could be used in stock trading. You would take credit for the good moves and claim that you didn't do the bad moves. And you wouldn't have!
5. You could rig a contest. Contest rules: first to answer the question wins and you can answer as many times as you want. If you force everyone to act under your account, then the correct answer will get submitted from your account, thus you win! This is an example of a larger attack which would be taking credit for other's work.

Most of these seem a bit contrived to me, but attacks always have actual uses that no one sees at first and dismisses offhand. So what are your ideas? What malicious things could you do if you could force a user of a site to be authenticated as you?


Options: ReplyQuote
Re: Reverse Session Fixation Attack
Posted by: Gareth Heyes
Date: June 15, 2009 09:52AM

Yeah this is a valid attack vector, all sites I've seen do not protect login screens with a CAPTCHA (probably impractical) and no tokens either. I used this technique to created a online chatroom on the back of delicious which also forced the user to login as an account I specified. This could also be used to see which users are bookmarking what on delicious.

"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Reverse Session Fixation Attack
Posted by: clayfox
Date: June 16, 2009 02:30PM

The two attacks that seem the largest here are: taking credit for other's work (it get's posted under your account) and monitoring people's activity. Delicious seems like a good place for monitoring people's activity. I don't actually know how experts-exchange works, but if you got paid for good answers, then you could trick the best answerers to submit answers under your account. I also see the possibility to frame someone as a hacker. Claim that they captured your cookie and started taking actions in your account. All of that would be true except for the intent.


Options: ReplyQuote
Re: Reverse Session Fixation Attack
Posted by: kuza55
Date: July 16, 2009 08:31AM

I saw an academic paper on this a while ago, but short of an ability to set cookies for a specific path (so that the user cannot generally tell they are submitting info for someone else), and a lack of csrf tokens, this seems like something that will look pretty suspicious to users when their account doesn't look like their account...

However it is very useful to exploit xss bugs which are protected by csrf (or other non-predictable) tokens.

Don't forget our IRC: irc://irc.irchighway.net/#slackers

Options: ReplyQuote
Re: Reverse Session Fixation Attack
Posted by: clayfox
Date: July 17, 2009 01:01PM

Good point. Perhaps its use would have to be more targeted, like CSRF on admin accounts, or spear-phishing attempts.

Setting the path specific to one function is a great idea! For an attack where you get someone to submit an answer under your account, you could set the cookie path as "/path/to/submission/page.php" for example. That would cause your cookie to get submitted only with answer submission. Their cookie would get submitted for every other page, so they would be in their account. Your cookie would probably not get overwritten, but which one would get used is probably a question of browser implementation.


Options: ReplyQuote

Sorry, only registered users may post in this forum.