3. Outline
• Review SSL/TLS weaks
• BEAST is not beast
• CRIME is not crime
– Compression
– CRIME
• TIME is time
– CRIME+
10/22/2013 11:32 PM
www.securitybootcamp.vn
15. How can you become a victim of CRIME?
• 1st requirement: the
attacker can sniff your
network traffic.
– You share a (W)LAN.
– He's hacked your home
router.
– He's your network
admin, ISP or
government.
https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1d134dff_0_165
10/22/2013 11:32 PM
www.securitybootcamp.vn
16. How can you become a victim of CRIME?
• 2nd requirement:
you visit evil.com.
– You click on a link.
– Or you surf a nonHTTPS site.
https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1e3070b2_1_21
10/22/2013 11:32 PM
www.securitybootcamp.vn
20. TIME
• Timing Info-leak Made Easy
• Chosen Plaintext Attack
• Targets compression and timing
information leakage
10/22/2013 11:32 PM
www.securitybootcamp.vn
21. • HTTP request
– CRIME for request to extract cookie data
• HTTP response
– Extended CRIME to extract response data
– Access a behind authentication resource
for user login status detection
– Application specific: e.g. number of digits in
bank account balance
10/22/2013 11:32 PM
www.securitybootcamp.vn
22. HTTP payload
• HTTP Payload size may carry sensitive
information
– HTTP payload size differences detection is
sufficient to extract the sensitive information
• Using timing measurements attacker can
distinguish HTTP payload size differences
• These timing measurements can be done with
javascript on attacker site
10/22/2013 11:32 PM
www.securitybootcamp.vn
23. XHR POC
• Create HTTP request with XHR
– XHR adheres to SOP
• Allows GET requests to flow
– If headers allow show response
– If not, abort
• We don’t care for the response
– Timing leaks the request size
• Use getTime() on XHR events
– onreadystatechange
• Noise elimination
– Repeat the process (say 10 times) and obtain Minimal time
10/23/2013 2:41 AM
www.securitybootcamp.vn
24. • HTML with Javascript, sending method is XHR
• Sends one byte diff requests alternately 10 times
– The longer request crosses the send window boundary
– The shorter is exactly within
• Measures requests time
• Outputs length and time
• Outputs the minimal timing values for both requests’
length
10/23/2013 2:51 AM
www.securitybootcamp.vn
33. • HTTP request with IMG src
– It is not a image? Don’t worry
– X-Frame-Options? Don’t worry
• Use getTime() on img events
– onLoad
– Onreadystatechange(IE)
10/23/2013 3:07 AM
www.securitybootcamp.vn
2
38. MITIGATIONS
• X-Frame-Options
– Browser should support and respect “XFrame-Options'' header for all content
inclusion (not just IFRAME);
10/23/2013 3:23 AM
www.securitybootcamp.vn