SlideShare a Scribd company logo

Web Application Social Engineering Vulnerabilities

Download as PPTX, PDF
M
mvcooley

In this presentation from Triangle Infosecon 2011, we discuss common web application vulnerabilities which could be leveraged for social engineering attacks.

Technology
1 of 44
Web Application Social Engineering Vulnerabilities Matt Cooley Lead Security Advisory Analyst Symantec Security Strategy & Advisory Services
Agenda 1 Overview 2 Homograph Attacks 3 Web Application Vulnerabilities 4 Demonstration Web Application Social Engineering Vulnerabilities 2
Presentation Overview • This presentation will demonstrate some attacks that can be used to target users and administrators of web applications. • You will learn techniques attackers use to steal money and sensitive data while going undetected. Web Application Social Engineering Vulnerabilities 3
Domain Spoofing Homograph Attacks Web Application Social Engineering Vulnerabilities 4
Domain Name Spoofing • Wait, that’s not a web application vulnerability • No, but it’s a tool in our toolbox which we will use to make our attacks more convincing Web Application Social Engineering Vulnerabilities 5
Internationalized Domain Names (IDN) http http://例子.测试 http://παράδειγμα.δοκιμή http://пример.испытание http Web Application Social Engineering Vulnerabilities 6
The problem is, this is also an Internationalized Domain Name: miсrоsоft.com This is not: microsoft.com Web Application Social Engineering Vulnerabilities 7
When Homographs Attack Web Application Social Engineering Vulnerabilities 8
Homograph Attacks – A Brief History 2002 – Paper by Gabrilovich and Gontmakher • Revealed that it was possible to register a domain containing non-Latin characters which would appear indistinguishable from a legitimate domain name. microsoft.com (authentic) miсrоsоft.com (Russian letters ‘c’ and ‘o’) • с = Unicode Character 'CYRILLIC SMALL LETTER ES' (U+0441) • о = Unicode Character 'CYRILLIC SMALL LETTER O' (U+043E) http://www.cs.technion.ac.il/~gabr/papers/homograph.html Web Application Social Engineering Vulnerabilities 9
Web Browsers Were Fixed.. Kinda 2005 – Shmoo Group revisits homograph attacks • Found that homograph attack prevention in browsers was applied inconsistently and spoofing issues could be exploited in Firefox, Safari, and Opera www.paypal.com (the real site) • a = Unicode Character 'LATIN SMALL LETTER A' (U+0061) www.pаypal.com (Shmoo’s site) • а = Unicode Character 'CYRILLIC SMALL LETTER A' (U+0430) http://www.shmoo.com/idn/homograph.txt Web Application Social Engineering Vulnerabilities 10
Still not fixed 2009 – Chris Weber discloses IDN spoofing issue with Safari https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdf http://support.apple.com/kb/ht3733 Web Application Social Engineering Vulnerabilities 11
Today • All popular browsers implement their own policies for how IDN’s should be displayed in the address bar • If a Unicode IDN doesn’t pass the browser’s policy for display, it will be displayed in Punycode – should raise suspicion • Safari and mobile Safari have more permissive rules than Chrome, Firefox, Internet Explorer http://www.idnnews.com/?p=8760 Web Application Social Engineering Vulnerabilities 12
These are all the same domain Chrome 14.0 Windows Firefox 7.0 Windows Internet Explorer 9.0 Windows Android 2.2 Safari 5.1 Windows Safari 5.0.2 iPhone Opera Mini 6.0 iPhone Web Application Social Engineering Vulnerabilities 13
Safari’s IDN Handling Policy • There is a white list file containing permitted IDN character sets. It is up to the user to maintain the list • /System/Library/Frameworks/WebKit.framework/Versions/A/R esources/IDNScriptWhiteList.txt • C:Program FilesSafariSafari.resourcesIDNScriptWhiteList.txt http://support.apple.com/kb/TA22996 Web Application Social Engineering Vulnerabilities 14
Safari’s White List # Default Web Kit International Domain Name Script White List. Common Inherited Arabic Armenian Bopomofo Canadian_Aboriginal Devanagari Deseret Gujarati Gurmukhi Hangul Han Hebrew Hiragana Katakana_Or_Hiragana Katakana Latin Tamil Thai Yi Web Application Social Engineering Vulnerabilities 15
Safari has the Weakest IDN Spoofing Protection Policy • So let’s attack Safari Web Application Social Engineering Vulnerabilities 16
My first attempt • sỵmantec.com • xn--smantec-h64c.com (Punycode) • ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT BELOW” Web Application Social Engineering Vulnerabilities 17
Somewhat Convincing Spoof in both Punycode and Native Character Formats • xn--microsoft-msft.com (Punycode) • micro̦so̤ft.com • Instead of gibberish in the Punycode format, the text “msft” is used (stock symbol for Microsoft) • If the victim opens the URL in a browser that shows Punycode, they will see this: • Otherwise, they will see this: Web Application Social Engineering Vulnerabilities 18
Hmm.. This is interesting • sy̲mantec.com • xn--symantec-rcf.com (Punycode) • Unicode 0x0332 “COMBINING LOW LINE” • Safari in Windows 7 - Underline doesn’t display: Achievement unlocked! Web Application Social Engineering Vulnerabilities 19
A fix? Removing “Latin” from the Safari IDN white list causes this: To become this: Web Application Social Engineering Vulnerabilities 20
IDN Spoofing on iOS Devices The following Unicode characters are not displayable on iOS devices, but can be registered within an IDN: 夆 U+5906 悞 U+609E 暵 U+66B5 煒 U+7152 譿 U+8B7F 驊 U+9A4A Bonus: They are allowed by Safari’s default white list (Han) Web Application Social Engineering Vulnerabilities 21
iOS IDN Spoofing Proof of Concept • www.apple夆.com • www.xn--apple-c94i.com (Punycode) Mobile Safari: Opera Mini: Web Application Social Engineering Vulnerabilities 22
Another Neat Trick.. Dot.. Dot.. Dot.. • So I was at a restaurant and scanned the QR code on a bottle of ketchup with an iPhone. Web Application Social Engineering Vulnerabilities 23
We can register one domain and spoof everything! • 夆. 夆. 夆. 夆.夆夆.com • xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com • www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn-- rrs.xn--rrsa.com Web Application Social Engineering Vulnerabilities 24
iOS Fix? • Apple provides a mechanism for preventing native IDN display with undesirable character sets • So let’s just remove “Han” from the white list file… oh wait Web Application Social Engineering Vulnerabilities 25
QR Codes Let me show you my QR codes Web Application Social Engineering Vulnerabilities 26
Web Application Social Engineering Vulnerabilities 27
Combining Homograph Attack with QR Codes • Replace legit QR code with malicious QR code • Victim scans malicious QR code and browser is redirected to attacker’s URL • Attacker’s server examines user agent header • If it is not a vulnerable device, forward them to a legitimate site • Otherwise, spoof the domain and capture info (PROFIT!!!) Web Application Social Engineering Vulnerabilities 28
american.xn--redcross-vr0o.com american.redcross夆.com Web Application Social Engineering Vulnerabilities 29
Web Application Vulnerabilities Arbitrary URL Redirection Web Application Social Engineering Vulnerabilities 30
Arbitrary URL Redirection • A common web application vulnerability which can be used to coerce victims into clicking a malicious link • http://<target site>/redirect?url=http://<attacker’s site> • Because the host name in the URI is legitimate, it should pass the trust test • OWASP refers to this vulnerability as “Open redirect” • The difficulty in using this as an exploit is in hiding the true nature of the URL: that it’s directing you to somewhere bad https://www.owasp.org/index.php/Open_redirect Web Application Social Engineering Vulnerabilities 31
URL Redirection with Percent Encoding Obfuscation Before: • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://evilhost.com After: • http://ourcompany.com/wordpress/wp- login.php?%72%65%64%69%72%65%63%74%5F%74%6F=%68% 74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E% 63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Adminis trator Web Application Social Engineering Vulnerabilities 32
URL Redirection with IDN Spoofing • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompanỵ.com/wordpress/mai n Or if targeting iPhone readers: • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com.xn-- ourcompany-wr7r.com/wordpress/main (xn--ourcompany-wr7r.com = ourcompany夆.com) Web Application Social Engineering Vulnerabilities 33
URL Redirection Triple Threat • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com〳error- %61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6 E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encodin g_Error • This is the redirection target: • http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany- wr7r.com/ • Use TinyURL to wrap it all up into a nice gift Web Application Social Engineering Vulnerabilities 34
Web Application Vulnerabilities Cross-Site Scripting Web Application Social Engineering Vulnerabilities 35
Cross-Site Scripting (XSS) Web Application Social Engineering Vulnerabilities 36
Cross-Site Scripting Attack Vectors Old School: • Capture session identifiers to hijack session Middle School: • Capture keystrokes to steal valid credentials and sensitive information Cool School: • Compromise a fully patched and secured host Web Application Social Engineering Vulnerabilities 37
BeEF Demonstration • Leverage cross-site scripting to log keystrokes on an iPhone Web Application Social Engineering Vulnerabilities 38
BeEF Details • Included in BackTrack • Works best when used with a persistent cross-site scripting vulnerability • BeEF is a good resource to demonstrate bad things you can do with JavaScript • Useful as a proof of concept tool Web Application Social Engineering Vulnerabilities 39
Social Engineering Toolkit Web Application Social Engineering Vulnerabilities 40
Social Engineering Toolkit (SET) • One of the best ways to remotely compromise a fully patched, fully protected host • The Java Applet web attack vector will get through just about anything • Setup a SET listener on external host • Send victim a URL redirect / put link on twitter or Facebook • Use with XSS Web Application Social Engineering Vulnerabilities 41
Mega Demo • Leveraging everything we’ve learned • Persistent XSS redirects user to Wordpress login – steals credentials with keystroke logger • Wordpress site then redirects to SET Java applet page • SET host has an IDN hostname • Windows 7 host is compromised Web Application Social Engineering Vulnerabilities 42
Tools Used Web Application Social Engineering Vulnerabilities 43
Thank you! matt_cooley@symantec.com http://www.symantec.com/connect/symantec-blogs/the-security-advisor Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Web Application Social Engineering Vulnerabilities 44

Recommended

Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
Aditya K Sood
 
Trojan horseofbyod2
Trojan horseofbyod2Trojan horseofbyod2
Trojan horseofbyod2
Stephanie Vanroelen
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threat
Ali J
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 

Recommended

Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
Aditya K Sood
 
Trojan horseofbyod2
Trojan horseofbyod2Trojan horseofbyod2
Trojan horseofbyod2
Stephanie Vanroelen
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threat
Ali J
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013
n|u - The Open Security Community
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
Sophos Benelux
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
Kavita Rastogi
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
OWASP-Qatar Chapter
 
Ceh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsCeh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applications
Mehrdad Jingoism
 
97 2003 калашникова самопрезентация
97 2003 калашникова самопрезентация97 2003 калашникова самопрезентация
97 2003 калашникова самопрезентация
Ангелина Калашникова
 
En el jardín
En el jardínEn el jardín
En el jardín
rayitodesol3
 
Grupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucarGrupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucar
julio ulacio
 
AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015
Jonathan Mawdsley
 
Profundizado07 gr2
Profundizado07 gr2Profundizado07 gr2
Profundizado07 gr2
Alvarogarcy
 
La Marca del Jaguar
La Marca del JaguarLa Marca del Jaguar
La Marca del Jaguar
viktor76gdl
 
PUPILETRA
PUPILETRAPUPILETRA
PUPILETRA
Misho26
 
mortgage
mortgagemortgage
mortgage
samtbs2
 
Penelitian
PenelitianPenelitian
Penelitian
Warnet Raha
 
Notas sin-palabras-36
Notas sin-palabras-36Notas sin-palabras-36
Notas sin-palabras-36
Ministerio Infantil Arcoiris
 
Jornal a4 n2
Jornal a4 n2Jornal a4 n2
Jornal a4 n2
CharlesFields
 
The Deer Family
The Deer FamilyThe Deer Family
The Deer Family
Harris
 
Presentasi ipba 2
Presentasi ipba 2Presentasi ipba 2
Presentasi ipba 2
Nanang Sofiyullah
 

More Related Content

What's hot

Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Ceh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsCeh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applications
Mehrdad Jingoism
 

What's hot (9)

Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
Ceh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsCeh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applications
 

Viewers also liked

AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015
Jonathan Mawdsley
 
La Marca del Jaguar
La Marca del JaguarLa Marca del Jaguar
La Marca del Jaguar
viktor76gdl
 
PUPILETRA
PUPILETRAPUPILETRA
PUPILETRA
Misho26
 
5 congress brochure
5 congress brochure5 congress brochure
5 congress brochure
Head and Neck Cancer Alliance
 

Viewers also liked (20)

97 2003 калашникова самопрезентация
97 2003 калашникова самопрезентация97 2003 калашникова самопрезентация
97 2003 калашникова самопрезентация
 
En el jardín
En el jardínEn el jardín
En el jardín
 
Grupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucarGrupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucar
 
AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015
 
Profundizado07 gr2
Profundizado07 gr2Profundizado07 gr2
Profundizado07 gr2
 
La Marca del Jaguar
La Marca del JaguarLa Marca del Jaguar
La Marca del Jaguar
 
PUPILETRA
PUPILETRAPUPILETRA
PUPILETRA
 
mortgage
mortgagemortgage
mortgage
 
Penelitian
PenelitianPenelitian
Penelitian
 
Notas sin-palabras-36
Notas sin-palabras-36Notas sin-palabras-36
Notas sin-palabras-36
 
Jornal a4 n2
Jornal a4 n2Jornal a4 n2
Jornal a4 n2
 
The Deer Family
The Deer FamilyThe Deer Family
The Deer Family
 
Presentasi ipba 2
Presentasi ipba 2Presentasi ipba 2
Presentasi ipba 2
 
Operational Plan (Kaki Travel)
Operational Plan (Kaki Travel)Operational Plan (Kaki Travel)
Operational Plan (Kaki Travel)
 
Consejos Sobre Desarrollo Y Liderazgo
Consejos Sobre Desarrollo Y LiderazgoConsejos Sobre Desarrollo Y Liderazgo
Consejos Sobre Desarrollo Y Liderazgo
 
Manualbpm1
Manualbpm1Manualbpm1
Manualbpm1
 
5 congress brochure
5 congress brochure5 congress brochure
5 congress brochure
 
Urea azufre-melaza
Urea azufre-melazaUrea azufre-melaza
Urea azufre-melaza
 
June 2016 the woodlands tx market report
June 2016 the woodlands tx market reportJune 2016 the woodlands tx market report
June 2016 the woodlands tx market report
 
Presentacion Herramientas Gerenciales Equipo 2
Presentacion Herramientas Gerenciales Equipo 2Presentacion Herramientas Gerenciales Equipo 2
Presentacion Herramientas Gerenciales Equipo 2
 

Similar to Web Application Social Engineering Vulnerabilities

Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Enough Software
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentation
xia_bofa
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
CODE BLUE
 
Mobile Dev For Web Devs
Mobile Dev For Web DevsMobile Dev For Web Devs
Mobile Dev For Web Devs
Justin James
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart City
Priyanka Aash
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
davyjones
 

Similar to Web Application Social Engineering Vulnerabilities (20)

Web application security
Web application securityWeb application security
Web application security
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentation
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!
 
Challenges EPs Face Going Mobile
Challenges EPs Face Going MobileChallenges EPs Face Going Mobile
Challenges EPs Face Going Mobile
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
 
Siruna session at Drupalcon Paris 2009
Siruna session at Drupalcon Paris 2009Siruna session at Drupalcon Paris 2009
Siruna session at Drupalcon Paris 2009
 
CS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityCS155 Computer Security at Stanford University
CS155 Computer Security at Stanford University
 
Drupalcamp New York 2009
Drupalcamp New York 2009Drupalcamp New York 2009
Drupalcamp New York 2009
 
Mobile Dev For Web Devs
Mobile Dev For Web DevsMobile Dev For Web Devs
Mobile Dev For Web Devs
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart City
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Começando com Android
Começando com AndroidComeçando com Android
Começando com Android
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Web Application Social Engineering Vulnerabilities

  • 1. Web Application Social Engineering Vulnerabilities Matt Cooley Lead Security Advisory Analyst Symantec Security Strategy & Advisory Services
  • 2. Agenda 1 Overview 2 Homograph Attacks 3 Web Application Vulnerabilities 4 Demonstration Web Application Social Engineering Vulnerabilities 2
  • 3. Presentation Overview • This presentation will demonstrate some attacks that can be used to target users and administrators of web applications. • You will learn techniques attackers use to steal money and sensitive data while going undetected. Web Application Social Engineering Vulnerabilities 3
  • 4. Domain Spoofing Homograph Attacks Web Application Social Engineering Vulnerabilities 4
  • 5. Domain Name Spoofing • Wait, that’s not a web application vulnerability • No, but it’s a tool in our toolbox which we will use to make our attacks more convincing Web Application Social Engineering Vulnerabilities 5
  • 6. Internationalized Domain Names (IDN) http http://例子.测试 http://παράδειγμα.δοκιμή http://пример.испытание http Web Application Social Engineering Vulnerabilities 6
  • 7. The problem is, this is also an Internationalized Domain Name: miсrоsоft.com This is not: microsoft.com Web Application Social Engineering Vulnerabilities 7
  • 8. When Homographs Attack Web Application Social Engineering Vulnerabilities 8
  • 9. Homograph Attacks – A Brief History 2002 – Paper by Gabrilovich and Gontmakher • Revealed that it was possible to register a domain containing non-Latin characters which would appear indistinguishable from a legitimate domain name. microsoft.com (authentic) miсrоsоft.com (Russian letters ‘c’ and ‘o’) • с = Unicode Character 'CYRILLIC SMALL LETTER ES' (U+0441) • о = Unicode Character 'CYRILLIC SMALL LETTER O' (U+043E) http://www.cs.technion.ac.il/~gabr/papers/homograph.html Web Application Social Engineering Vulnerabilities 9
  • 10. Web Browsers Were Fixed.. Kinda 2005 – Shmoo Group revisits homograph attacks • Found that homograph attack prevention in browsers was applied inconsistently and spoofing issues could be exploited in Firefox, Safari, and Opera www.paypal.com (the real site) • a = Unicode Character 'LATIN SMALL LETTER A' (U+0061) www.pаypal.com (Shmoo’s site) • а = Unicode Character 'CYRILLIC SMALL LETTER A' (U+0430) http://www.shmoo.com/idn/homograph.txt Web Application Social Engineering Vulnerabilities 10
  • 11. Still not fixed 2009 – Chris Weber discloses IDN spoofing issue with Safari https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdf http://support.apple.com/kb/ht3733 Web Application Social Engineering Vulnerabilities 11
  • 12. Today • All popular browsers implement their own policies for how IDN’s should be displayed in the address bar • If a Unicode IDN doesn’t pass the browser’s policy for display, it will be displayed in Punycode – should raise suspicion • Safari and mobile Safari have more permissive rules than Chrome, Firefox, Internet Explorer http://www.idnnews.com/?p=8760 Web Application Social Engineering Vulnerabilities 12
  • 13. These are all the same domain Chrome 14.0 Windows Firefox 7.0 Windows Internet Explorer 9.0 Windows Android 2.2 Safari 5.1 Windows Safari 5.0.2 iPhone Opera Mini 6.0 iPhone Web Application Social Engineering Vulnerabilities 13
  • 14. Safari’s IDN Handling Policy • There is a white list file containing permitted IDN character sets. It is up to the user to maintain the list • /System/Library/Frameworks/WebKit.framework/Versions/A/R esources/IDNScriptWhiteList.txt • C:Program FilesSafariSafari.resourcesIDNScriptWhiteList.txt http://support.apple.com/kb/TA22996 Web Application Social Engineering Vulnerabilities 14
  • 15. Safari’s White List # Default Web Kit International Domain Name Script White List. Common Inherited Arabic Armenian Bopomofo Canadian_Aboriginal Devanagari Deseret Gujarati Gurmukhi Hangul Han Hebrew Hiragana Katakana_Or_Hiragana Katakana Latin Tamil Thai Yi Web Application Social Engineering Vulnerabilities 15
  • 16. Safari has the Weakest IDN Spoofing Protection Policy • So let’s attack Safari Web Application Social Engineering Vulnerabilities 16
  • 17. My first attempt • sỵmantec.com • xn--smantec-h64c.com (Punycode) • ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT BELOW” Web Application Social Engineering Vulnerabilities 17
  • 18. Somewhat Convincing Spoof in both Punycode and Native Character Formats • xn--microsoft-msft.com (Punycode) • micro̦so̤ft.com • Instead of gibberish in the Punycode format, the text “msft” is used (stock symbol for Microsoft) • If the victim opens the URL in a browser that shows Punycode, they will see this: • Otherwise, they will see this: Web Application Social Engineering Vulnerabilities 18
  • 19. Hmm.. This is interesting • sy̲mantec.com • xn--symantec-rcf.com (Punycode) • Unicode 0x0332 “COMBINING LOW LINE” • Safari in Windows 7 - Underline doesn’t display: Achievement unlocked! Web Application Social Engineering Vulnerabilities 19
  • 20. A fix? Removing “Latin” from the Safari IDN white list causes this: To become this: Web Application Social Engineering Vulnerabilities 20
  • 21. IDN Spoofing on iOS Devices The following Unicode characters are not displayable on iOS devices, but can be registered within an IDN: 夆 U+5906 悞 U+609E 暵 U+66B5 煒 U+7152 譿 U+8B7F 驊 U+9A4A Bonus: They are allowed by Safari’s default white list (Han) Web Application Social Engineering Vulnerabilities 21
  • 22. iOS IDN Spoofing Proof of Concept • www.apple夆.com • www.xn--apple-c94i.com (Punycode) Mobile Safari: Opera Mini: Web Application Social Engineering Vulnerabilities 22
  • 23. Another Neat Trick.. Dot.. Dot.. Dot.. • So I was at a restaurant and scanned the QR code on a bottle of ketchup with an iPhone. Web Application Social Engineering Vulnerabilities 23
  • 24. We can register one domain and spoof everything! • 夆. 夆. 夆. 夆.夆夆.com • xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com • www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn-- rrs.xn--rrsa.com Web Application Social Engineering Vulnerabilities 24
  • 25. iOS Fix? • Apple provides a mechanism for preventing native IDN display with undesirable character sets • So let’s just remove “Han” from the white list file… oh wait Web Application Social Engineering Vulnerabilities 25
  • 26. QR Codes Let me show you my QR codes Web Application Social Engineering Vulnerabilities 26
  • 27. Web Application Social Engineering Vulnerabilities 27
  • 28. Combining Homograph Attack with QR Codes • Replace legit QR code with malicious QR code • Victim scans malicious QR code and browser is redirected to attacker’s URL • Attacker’s server examines user agent header • If it is not a vulnerable device, forward them to a legitimate site • Otherwise, spoof the domain and capture info (PROFIT!!!) Web Application Social Engineering Vulnerabilities 28
  • 30. Web Application Vulnerabilities Arbitrary URL Redirection Web Application Social Engineering Vulnerabilities 30
  • 31. Arbitrary URL Redirection • A common web application vulnerability which can be used to coerce victims into clicking a malicious link • http://<target site>/redirect?url=http://<attacker’s site> • Because the host name in the URI is legitimate, it should pass the trust test • OWASP refers to this vulnerability as “Open redirect” • The difficulty in using this as an exploit is in hiding the true nature of the URL: that it’s directing you to somewhere bad https://www.owasp.org/index.php/Open_redirect Web Application Social Engineering Vulnerabilities 31
  • 32. URL Redirection with Percent Encoding Obfuscation Before: • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://evilhost.com After: • http://ourcompany.com/wordpress/wp- login.php?%72%65%64%69%72%65%63%74%5F%74%6F=%68% 74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E% 63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Adminis trator Web Application Social Engineering Vulnerabilities 32
  • 33. URL Redirection with IDN Spoofing • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompanỵ.com/wordpress/mai n Or if targeting iPhone readers: • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com.xn-- ourcompany-wr7r.com/wordpress/main (xn--ourcompany-wr7r.com = ourcompany夆.com) Web Application Social Engineering Vulnerabilities 33
  • 34. URL Redirection Triple Threat • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com〳error- %61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6 E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encodin g_Error • This is the redirection target: • http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany- wr7r.com/ • Use TinyURL to wrap it all up into a nice gift Web Application Social Engineering Vulnerabilities 34
  • 35. Web Application Vulnerabilities Cross-Site Scripting Web Application Social Engineering Vulnerabilities 35
  • 36. Cross-Site Scripting (XSS) Web Application Social Engineering Vulnerabilities 36
  • 37. Cross-Site Scripting Attack Vectors Old School: • Capture session identifiers to hijack session Middle School: • Capture keystrokes to steal valid credentials and sensitive information Cool School: • Compromise a fully patched and secured host Web Application Social Engineering Vulnerabilities 37
  • 38. BeEF Demonstration • Leverage cross-site scripting to log keystrokes on an iPhone Web Application Social Engineering Vulnerabilities 38
  • 39. BeEF Details • Included in BackTrack • Works best when used with a persistent cross-site scripting vulnerability • BeEF is a good resource to demonstrate bad things you can do with JavaScript • Useful as a proof of concept tool Web Application Social Engineering Vulnerabilities 39
  • 40. Social Engineering Toolkit Web Application Social Engineering Vulnerabilities 40
  • 41. Social Engineering Toolkit (SET) • One of the best ways to remotely compromise a fully patched, fully protected host • The Java Applet web attack vector will get through just about anything • Setup a SET listener on external host • Send victim a URL redirect / put link on twitter or Facebook • Use with XSS Web Application Social Engineering Vulnerabilities 41
  • 42. Mega Demo • Leveraging everything we’ve learned • Persistent XSS redirects user to Wordpress login – steals credentials with keystroke logger • Wordpress site then redirects to SET Java applet page • SET host has an IDN hostname • Windows 7 host is compromised Web Application Social Engineering Vulnerabilities 42
  • 43. Tools Used Web Application Social Engineering Vulnerabilities 43
  • 44. Thank you! matt_cooley@symantec.com http://www.symantec.com/connect/symantec-blogs/the-security-advisor Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Web Application Social Engineering Vulnerabilities 44

Editor's Notes

  1. This is a sample Agenda/Preview slide. This slide is ideal for setting the scene at the beginning of your presentation by providing a big picture overview of what you plan to cover. To Change Titles in Shapes (i.e.: “Text here”):Select text. (Optional: Press Delete.) Begin typing desired text.To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar. Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab.To Change a Shape’s Fill Color:Select the desired object by clicking once on its edge. On the Home tab, click the Shape Fill button within the Drawing group to select a theme color from the Symantec color palette. To Delete a Shape:Select the desired object by clicking once on its edge. Press the Delete key on your keyboard.To Copy a Text Box or Shape:Select the text box or shape. Note: Make sure to select the entire object, not just the text, by clicking the edge of the text box or shape.Type Ctrl C (copy), click outside object, then type Ctrl V (paste) to place the object. Click and drag the pasted object to desired location.