Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Authenticating a victim under an attacker's credentials
Posted by: clayfox
Date: May 13, 2010 11:27AM

This flaw exists in most authentication systems I see, but I've had trouble convincing people (including myself) that it's really a problem.

The attack can be just a CSRF which submits the attackers credentials to log in the victim and then redirects them to the site. Many to most authentication schemes don't have nonces in the login form.

What attacks does this allow? I see a few:
1. Getting someone to enter info that only they know (data extraction). This could involve passwords, CC numbers, SSNs, Intellectual Property, and pretty much any other data or actions involved in the application.
2. Framing someone for hacking.
3. Taking advantage of someone else's hard work (taking surveys, entering raffles, etc).


I know that there is a big issue with the victim noticing that the system is treating them like a different user, but's lets ignore that.

What do your devious minds see?

-clayfox

Options: ReplyQuote
Re: Authenticating a victim under an attacker's credentials
Posted by: mckt_
Date: May 13, 2010 10:51PM

A few big ones that keep popping up in my wanderings-

Flash attacks- when the target site's crossdomain.xml file allows *.targetsite.com, and there's a flash upload vulnerability on bugs.targetsite.com, but exploiting it requires the user be logged into the attacker's profile, you:
a) log the user into your account
b) grab the flash payload
c) perform requests to www.targetsite.com

It sounds awfully specific, I know, but it's a wicked combo move, and far more common than I expected.

Similarly, there's a handful of other cross-subdomain attacks dealing with cookies. An XSS hole in a secondary app that's only accessible to the attacker can be used to poison/manipulate existing sessions of users in the main app without logging them out.

Another though, related to your data extraction- if you can, say, log somebody into your Google or Bing account, you can log in later and view any searches that they've made (opt-in on Google). Google added CSRF tokens to logins last fall, but those, too, can be bypassed with an XSS anywhere on *.google.com. (Not exactly easy these days, but it happens every once in a while)

Options: ReplyQuote
Re: Authenticating a victim under an attacker's credentials
Posted by: CryingWolf
Date: May 14, 2010 08:54AM

Are there implicit steps between b) and c) where you then log yourself out and send off pings waiting to see if they ever log in to targetsite?

Otherwise aren't the requests just from your account? Maybe it's a throwaway account and the goal is to distribute the requests among victim machines?

Options: ReplyQuote
Re: Authenticating a victim under an attacker's credentials
Posted by: clayfox
Date: May 14, 2010 09:26AM

I assumed that there were different logins for bugs.targetsite.com and www.targetsite.com, and that the victim was already logged into www.targetsite.com.

If not, then CryingWolf isn't just crying wolf. ;)

-clayfox

Options: ReplyQuote


Sorry, only registered users may post in this forum.