In May of 2006 I discovered a new attack vector (web+network transitive trust relationships) but I haven't disclosed it until now. I'm not even sure it still works with the primary website that had the vulnerability, because the last time I tested it was in November.

This is an attack vector that allows authentication bypass. I have run across this in Intranets/Extranets in the past - in addition to Internet websites. I'm not sure if it has a name, but it works in a very similar way that Berkeley r-services, NFS, NIS, AD, and other transitive trust relationships work.

Basically, if the HTTP server/app builds a trust relationship based on the source IP addresses of remote networks (and/or HTTP referrer tags) - this can be subverted easily. It could be that the firewall/DMZ supporting the HTTP server(s) supports this network policy. It could be a variety of things.

The primary things I see in common are that the source IP be in a certain range, such as one that belongs to a particular company or university that has subscribed to the web application as a service. I also see HTTP referrer tags being used as a secondary precautionary measure (so that the attack won't work through proxies as effectively).

I encountered this in May when using the Tor network to access http://safari.ora.com (redirects to http://safari.oreilly.com).

Basically, when firing up Tor and going to http://safari.ora.com (but not http://safari.oreilly.com), I was able to gain free access to the Safari library through ProQuest at the level of the university's access that I was proxying through Tor. I believe the difference in oreilly.com and ora.com was due to the aforementioned HTTP referrer checks, but I could be wrong.

In this case, I think that ProQuest has a network trust relationship to Safari over some sort of extranet, perhaps over IPSec or private-line. ProQuest is doing some sort of IP-based firewalling to permit or IP forward (or HTTP redirect) traffic destined to Safari to go through them. This could be a variety of things in networks, such as DNS or even host files.

This could also occur by O'Reilly's Safari network/servers redirecting to ProQuest, although this is less likely.

After a few conversations with friends (especially people I know that attend universities), it appears that many web application services allow this sort of free authentication when at the university (or through corporate licensing as well). One example we came up with was LexisNexis. But there are potentially hundreds of examples, all could be private databases that are accessed through web applications.

My theory is that many private (including financial/government) databases are accessible in this manner. Combined with JVM+Firefox IP grabbing, Javascript/HTML Intranet port-scanning, UDP hole punching (to access internal proxy servers), and large anonymizing networks such as Tor, JAP, and Six/Four... this could lead to some serious abuses of authentication/authorization to vast amounts of private information, especially identity and financial information.

Worse, over the Tor network - the traffic is very anonymized, leaving little direction to track down the source via logs. Covert channels could make this even more difficult to discern that an attack is even occurring.

Attackers would simply need to create a map of Network A connects to Network B connects to WebApp X connects to Database Y. It's a classic security through obscurity subversion. Even if there is an additional authentication step (e.g. a global user/pass), this can usually be discovered/disclosed as well. I have seen companies that have subscription access to web applications that access private databases - and they post the user/pass on an Intranet site that is available to everyone in that company. This used to be prolific with FTP and probably still is. But FTP servers aren't web applications.

I know that free access to Safari and LexisNexis may not excite you - but it probably doesn't excite the people who pay subscriptions to these services (or the companies that receive the payments). This may be all this ends up to be, but I'd love to explore it more.

If you find a web+network (could be HTTP, SQL, XML, XPath, SOAP, JSON, etc) or even a network+network (e.g. FTP, DNS, LDAP, SNMP, CORBA, NFS, NIS, X.500, etc) transitive trust relationship post it here if you like.

I'd also be interested in finding out which webserver/webapp/databases are most interesting. The only list of databases I know about is available here http://en.wikipedia.org/wiki/List_of_online_databases

Of the interesting, subscription-only based services listed I found Dialog, Hoover's, InfoTrac, LawTel, and PayScale. Not a bad list so far!

Since I lack the database industry clue, if you know of a neat database that allows these types of transitive trust relationships (especially through HTTP), it would be interesting to hear about it here as well.

As a final point, I'm sure you are familiar with some of the other implications this provides. With a freely authenticated website, it is now possible to test that web application for vulnerabilities in parts of the application you may not normally have access to.

I love this... I especially like how people assume IP based authentication is bulletproof. I added another example too. http://ha.ckers.org/blog/20070122/ip-trust-relationships-xss-and-you/

- RSnake
Gotta love it. http://ha.ckers.org

RSnake - nicely done and thank you for bringing attention to this!

I found another list of database on Wikipedia
http://en.wikipedia.org/wiki/Category:Government_databases

Of which, the US ones seemed most interesting to me personally
http://en.wikipedia.org/wiki/Category:Government_databases_in_the_United_States

I had some premonitions of this when reading this article
http://www.mercurynews.com/mld/mercurynews/entertainment/16098934.htm
about a woman from New Mexico who probably hacked into the NSA call database from her workstation at Sandia National Labs and then got caught. She called the CELL PHONES of some guy in Linkin Park and his wife.

It took me 2 minutes to search for and find her MySpace profile minutes after reading that news article a few months back.
http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=36977809

Who wants to bet that she used MySpace from that same computer, and who wants to bet that the investigators PROBABLY opened up that same profile during the investigation? That's one XSS away.

http://portal.acm.org/ and http://ieeexplore.ieee.org/ also authenticate subscribed institutions (e.g. universities) by IP addresses.

This isn't exactly the same thing you're talking about, but the US govt seems to do similar things, but with reverse DNS lookups: http://www.disa.mil/main/about/publications.html

The only thing I'm basing this on is the image restricted to .gov/.mil and the DSN directory which is supposedly only open to .mil

I've never had the balls (or is it stupidity?) to check, so I don't know whether that's the case or not, but if anyone wants to inform me whether or not those are just reverse DNS lookups, I'd really appreciate it.