Website Impersonation Attacks. Who is REALLY Behind That Mask?

Web-based Impersonation Attacks
Who’s REALLY Behind that Mask?
Jason Mortensen
IT Security Architect
Motorola Mobility LLC

© 2013 Jason Mortensen Attacking Web Authentication - Slide 2
 How can you be certain that the people using your web
applications are really the legitimate users?
Who’s REALLY Behind That Mask?
Source: Flickr, user SklathillSource: Flickr, user chrisjohnbeckett
It isn’t hard to impersonate other users to web
applications if authentication or session
management isn’t implemented correctly

 How web authentication and session management
works
 Attack techniques
 Attacking authentication
 Attacking session management
 Countermeasures
 Summary
Agenda

 HTTP is a “stateless” protocol. The server doesn’t
remember anything about you after each request.
 Challenge: How do you track user identity or other
details across multiple page requests?
 Solution: Authenticate users, then use session
information (usually cookies) to track unique users
How Web Authentication Works
Authentication:
Password provided,
cookie returned
Session Management:
Cookie used for rest of
session
1
2User
Username
Password1
2 Web Application
Welcome!

Authentication
Authentication vs. Session Management
Session Management
“Prove that you are who you say
you are”
Keeping track of a user’s activity
across multiple interactions with a
web application

works
 Countermeasures
 Summary
Agenda

 Authentication
 Password guessing
 Attacking password reset
 SQL injection authentication bypass
 Social engineering
 Keystroke loggers
 Network sniffing
 Session management
 Attacking session tokens
 Cookie stealing and replay
 Cross Site Request Forgery (CSRF)
 Clickjacking
 Session Fixation
Attack Techniques

Attacking
Authentication

 Passwords are the most common way to authenticate
to web applications
 Weak passwords are a classic way that web
applications are compromised
Password Guessing
Most Popular Passwords of 2012 (According to research by SplashData)
password
123456
12345678
abc123
qwerty
monkey
letmein
dragon
111111
baseball
iloveyou
trustno1
1234567
sunshine
master
123123
welcome
shadow
ashley
football
jesus
michael
ninja
mustang
password1

 Tools are readily available to automate web password
guessing
 Examples: Hydra, Brutus, and Webcracker
 Word lists are available for foreign languages, terms
related to sports, movies, occupations, hobbies, etc.
Password Guessing
Types of password guessing:
Vertical
One username,
guessing many
passwords
Horizontal
One password,
guessing with
many usernames
Diagonal
Many
usernames,
guessing with
many passwords

 Many web sites allow you to reset a password by
answering a “secret question”
 Essentially a backup password that is usually much
weaker than the real password
 The answers to secret questions are often easy to
guess or determine
 Some answers can be found using social
media sites such as Facebook
 1 in 80 chance of guessing answer according to one
study (Bonneau, Joseph et. al., 2010)
Attacking Password Reset

Question Range of answers
What is the name
of your favorite
pet?
The top 20 dog names are Max, Buddy, Molly, Bailey, Maggie, Lucy, Jake, Rocky,
Sadie, Lucky, Daisy, Jack, Sam, Shadow, Bear, Buster, Lady, Ginger, Abby, and
Toby.
What is your
mother’s maiden
name?
There are approximately 25,000 common surnames; one in 10 U.S. citizens have
the surname Smith, Johnson, Williams, Jones, Brown, Davis, Miller, Wilson, Moore,
Taylor, Anderson, Thomas, Jackson, White, Harris, Martin, Thompson, Garcia,
Martinez, Robinson, Clark, Rodriguez, Lewis, Lee, Walker, Hall, Allen, or Young.
What street did you
grow up on?
The 15 most common street names are Second/2nd, Third/3rd, First/1st,
Fourth/4th, Park, Fifth/5th, Main, Sixth/6th, Oak, Seventh/7th, Pine, Maple, Cedar,
Eighth/8th, and Elm.
What was the make
of your first car?
Most cars are built by Acura, Audi, BMW, Buick, Cadillac, Chevrolet, Chrysler,
Daewoo, Dodge, Ford, GMC, Honda, Hummer, Hyundai, Infiniti, Isuzu, Jaguar,
Jeep, Kia, Land Rover, Lexus, Lincoln, Mazda, Mercedes-Benz, Mercury,
Mitsubishi, Nissan, Oldsmobile, Plymouth, Pontiac, Porsche, Saab, Saturn,
Subaru, Suzuki, Toyota, Volkswagen, or Volvo.
What is your
favorite color?
There are around 100 common colors, even considering colors such as taupe,
gainsboro, and fuschia.
Source: Syngress.com, “Using Secret Questions”

 George Bronk Example
 Cyberstalking - 46 women across
17 states
 Used information posted to
Facebook to answer password
reset questions
 Broke into email accounts, then
searched for nude and semi-nude
photos.
 Distributed nude photos to the
victim’s contact list.

 Sarah Palin 2008 Email Hack Example
 Personal Yahoo! email account
compromised during 2008
presidential campaign
 Password reset questions were
based on biographical data readily
available on the Internet
 Birthdate
 Home zip code
 Where she met husband (high
school)
Source: Flickr user Brett Beanan; bbeanan

 SQL Injection occurs when an attacker
passes database instructions in
parameters that are used in database
queries made by the application
SQL Injection Authentication Bypass
 SQL Injection can be used to bypass authentication
 A popular method for bypassing authentication is to
enter the following in a login field:
‘ or 1=1--

SQL Injection Authentication Bypass
Database
Web
Application
Attacker
Attacker injects SQL
statement into login form
Application builds SQL
query with user input
SELECT Count(*) FROM users
WHERE username='admin'
AND password='' or 1=1--'"
1 2
Database returns “true”
since 1=1 is evaluated for
the password condition.
The attacker is
authenticated as admin.
3

Other Authentication Attacks
 Social Engineering
 Trick people into divulging
confidential information
 Keystroke Loggers
 Software or hardware that watches
everything you type (esp. passwords)
 Example: Student from Bucks College that changed grades
 Network Sniffing
 Eavesdrop on network traffic to
steal passwords or session cookies
Source: celalteber;
stock.xchng
Source: Flickr user Lars P.

Attacking
Session Management

 After a user authenticates, session tokens identify the
user in subsequent page requests
 Session information is stored in cookies, URLs, or in
hidden HTML form elements
 Usually a random identifier, but some web sites store
other details about the user
Attacking Session Tokens
Cookies
URL
Hidden Field
http://www.example.com/en/mk?sessid=83958147
<input type=“hidden” name=“username”
value=“jrholland”>
Set-Cookie: userid=20459; path=/;
Expires=Sun, 08-Feb-2015 01:54:39 GMT

 Attackers can modify session tokens in cookies, URLs,
and hidden fields
 Session IDs may be predictable or guessable
 Session IDs that aren’t predictable may still be guessed
by brute force guessing the entire key space
 Account lockout mechanisms are not triggered by brute
force guessing session IDs
 End result is always the same = Impersonate the
legitimate user and hijack their session

 Example
 You log into an application several times and are
assigned the following session IDs
Set-Cookie: unique_id=296410995833; expires=Tuesday, 13-Aug-2013 09:50:35 GMT; path=/portal
See the incrementing session ID values?
Not difficult to guess other valid session IDs.

 Example – Payroll system that
allows employees to view their
own pay information
 After logging in, the system
stored employee’s ID number
in a cookie
 Simply change ID number to
view another user’s payroll
information
 Cookie also included an
“admin=N” flag. Oops!
Information Exposed
 Full name
 Social Security Number
 Home address
 Salary
 Bonus payouts
 Bank account information
 Number of tax
exemptions

 Cookies can be stolen in several ways, including cross
site scripting, network sniffing, or harvesting from other
web sites (on a shared domain or corporate network)
 Once stolen, the attacker replays the cookie to
impersonate the legitimate user
Cookie Stealing and Replay
 Encrypted cookies don’t stop
an attack… the attacker just
needs to replay the “blob”

Cookie Stealing and Replay
Victim
Cross Site Scripting (XSS)
Attacker
http://
Attacker sends victim a URL
with a malicious script
embedded
Victim clicks URL. Malicious
script runs in the victim’s
browser.
http://
Victim’s
Cookie
Script tells victim’s browser to quietly
send the attacker a copy of cookie
XSS Vulnerable
Site
Victim’s
Cookie
XSS Vulnerable
Site
Welcome!
Attacker replays the victim’s cookie
and is able to impersonate the victim
Steal
Cookie
Replay
Cookie

 Vulnerability that forces victims to execute unwanted
actions on a web application
 Leverages the victim’s authentication to perform
actions
 Browser takes action “in the background”, usually
without the user’s knowledge that an attack
occurred
 The target of the attack is other users, not the
vulnerable web application itself
Cross Site Request Forgery (CSRF)

 Samy – MySpace Worm (CSRF + XSS)
 Posted Javascript code in MySpace profile – Executed each
time someone viewed the profile
 Code designed to add Samy as a friend, then replicate the
Javascript
 Over 1 million “friends” within 24 hours
 Corporate document sharing web site (CSRF + XSS)
 Submit Javascript in description field when uploading document
 Victim’s browser instructed to grant permissions to the attacker
 Attack ran silently in the background with no user interaction
Cross Site Request Forgery - Examples

Other Session Related Attacks
 Clickjacking
 Uses transparent web page layers to trick
victim into clicking a button or link on
another page
 Session Fixation
 Allows attacker to set session ID that is
then used by victim
Attacker determines that
example.com is
vulnerable.
Attacker sends the
victim a link containing
a fixed session ID.
http://example.com/
?SID=23456
Victim clicks the link, then
logs in as normal. The app
uses the fixed session ID.
Attacker can use the fixed
session ID to impersonate
the victim.
http://example.com/
?SID=23456
Welcome!
Session Fixation
Clickjacking

works
 Countermeasures
 Summary
Agenda

Countermeasures

 Use stronger-than-password authentication
 Examples include digital certificates, one time password systems,
or using text messaging to send the user a one time login code
 Implement strong session management practices
 Session IDs must be unique and non-predictable
 Use short session timeouts; 30 minutes or less is standard
 Implement a logout function that cancels the session
 Configure cookies to use the Secure and HttpOnly flags
 Implement secure programming practices
 Validate all input for type, length, acceptable values, and encode
all output
 Use stored procedures instead of building SQL strings in code
 Implement secure password reset functions
 Use the OWASP Developer Guide from owasp.org
Key Countermeasures

 Take action after a series of failed login attempts
 Lock accounts after X failed attempts
 Slow down login attempts instead, such as requiring a
CAPTCHA for each subsequent password attempt
 Use SSL/TLS to encrypt network traffic
 Monitor audit logs
 Look for patterns that indicate repeated password or session
ID guessing
 Use “framebusting” techniques to prevent clickjacking
 Educate users about phishing, social engineering
Other Countermeasures

Countermeasure Warnings
Stronger-than-password
Authentication
Doesn’t address session management attacks, and can lead to a
false sense of security
Strong Session Management Use built-in session management mechanisms, as custom session
management routines can be difficult to implement securely
Secure Programming Practices Security needs to be built into all phases of the software
development lifecycle
Take Action After X Failed
Logins
Attackers can create a denial-of-service by intentionally causing
user accounts to become locked
SSL/TLS Network Encryption Encrypt the entire session to protect authentication (password)
AND session tokens (cookies)
Monitor Audit Logs Review audit logs regularly in order to be familiar with normal
usage patterns
Framebusting Techniques Not all framebusting techniques are reliable; see
https://www.owasp.org/index.php/Clickjacking for
recommendations
Educate Users Users will often be the weakest link in any security program
Countermeasure Warning

Countermeasures Summary
Stronger-than-password Authentication X X X X X
Strong Session Management X X
Secure Programming Practices X X X X X
Take Action After X Failed Logins X
SSL/TLS Network Encryption X
Monitor Audit Logs X X X
Framebusting Techniques X
Educate Users X
Password
Guessing
SQLInjectionAuth
Bypass
Keystroke
Loggers
Network
Sniffing
AttackingSession
Tokens
CookieStealing
andReplay
Social
Engineering
Countermeasures
Threats
Attacking
PasswordReset
CrossSiteRequest
Forgery
Clickjacking
SessionFixation
Authentication Session Management

works
 Countermeasures
 Summary
Agenda

 There are numerous ways to attack web authentication
and session management, but there are also ways to
mitigate the threat
 ALWAYS design security into the application from the
very beginning!
Summary

Questions?

Website Impersonation Attacks. Who is REALLY Behind That Mask?

Recommended

Recommended

More Related Content

Similar to Website Impersonation Attacks. Who is REALLY Behind That Mask?

Similar to Website Impersonation Attacks. Who is REALLY Behind That Mask? (20)

More from London School of Cyber Security

More from London School of Cyber Security (20)

Recently uploaded

Recently uploaded (20)

Website Impersonation Attacks. Who is REALLY Behind That Mask?