|
|
|
Stealing passwords via browser refresh.
The browser’s back and refresh features can be used to steal passwords from insecurely written applications. This paper discusses the problem and the solution. We will show how a bad guy can access the user credentials of the previously logged in user by exploiting this feature, if the web application has not been developed securely .
Browsers have the ability to maintain a recent record of pages that were visited by a user. The back and forward button on browsers use this functionality to display the pages recently browsed. In addition browsers also keep track of variables that were POSTed to the server while fetching the page. The refresh feature immensely increases the functionality of the browsers and makes it convenient for users. Moreover it is done transparently so that users do not need to be aware that the variables are automatically posted to the server. All that a user has to do is to click on the “yes” button of a dialog box prompted by the browser before re-posting. This lets a user view the same pages that he had visited before. Considering functionality, this is a very powerful feature but it can also be used to capture important user credentials from a browser. Here the inherent feature of the browser to store POST variables is exploited to gain access to important user credentials. We will also be discussing another variation of the attack. These attacks are very simple to execute and require medium level of skills. For each variation of the attack we have proposed the solution used to address the issue.
Capturing the login credentials of a user by refreshing the post login page Let us consider a user making some online transactions on the Internet.
1. The user types in the URL of the site he wants to visit. In reply the page say “login.asp” is displayed. The web application uses a username and password as the user credentials. This page has form fields “Login ID” and “Password”, like what we have seen in many sites.
2. The user types his Login ID and password and submits the request to the server. On the server authentication is done by an ASP script, say Myhome.asp, that presents the user with the first page after login, say Myhome.asp.
3. The user browses a number of intermediate pages on the site; say page2.asp, page3.asp, etc.
4. After the user has completed his transactions and finished browsing, he finally clicks on the “Sign Out” button. The logout page, say logout.asp, is invoked which logs off the user. After the logout.asp is displayed on the browser, assume the user leaves the machine without closing the browser window. 5. If a bad guy has access to the same machine as the user, he can see that a logout page is displayed on a browser window.
6. He clicks on the back button drop down list and identifies the page immediately after login – here Myhome.asp. He clicks on the drop down list corresponding to the Myhome.asp page and is displayed the “Warning: Page has Expired” error page that we have seen many a times.
7. At this point the bad guy starts a browser proxy1 and configures the browser to go through the proxy.
8. On the error page he clicks the refresh button. A pop up warns the user that some of the variables are to be reposted in order for the page to be displayed and asks the user if he wants to continue or not. The bad guy clicks yes.
9. The bad guy views the request sent from the browser to the server in a browser proxy. He is able to see the username and password of the user. He now has complete knowledge of user credentials and hence complete control over the account.
|
|
|
|
Stealing passwords via browser refresh.
The browser’s back and refresh features can be used to steal passwords from insecurely written applications. This paper discusses the problem and the solution. We will show how a bad guy can access the user credentials of the previously logged in user by exploiting this feature, if the web application has not been developed securely
.
Browsers have the ability to maintain a recent record of pages that were visited by a user. The back and forward button on browsers use this functionality to display the pages recently browsed. In addition browsers also keep track of variables that were POSTed to the server while fetching the page.
The refresh feature immensely increases the functionality of the browsers and makes it convenient for users. Moreover it is done transparently so that users do not need to be aware that the variables are automatically posted to the server. All that a user has to do is to click on the “yes” button of a dialog box prompted by the browser before re-posting. This lets a user view the same pages that he had visited before.
Considering functionality, this is a very powerful feature but it can also be used to capture important user credentials from a browser. Here the inherent feature of the browser to store POST variables is exploited to gain access to important user credentials.
We will also be discussing another variation of the attack. These attacks are very simple to execute and require medium level of skills. For each variation of the attack we have proposed the solution used to address the issue.
Capturing the login credentials of a user by refreshing the post login page Let us consider a user making some online transactions on the Internet.
1. The user types in the URL of the site he wants to visit. In reply the page say “login.asp” is displayed. The web application uses a username and password as the user credentials. This page has form fields “Login ID” and “Password”, like what we have seen in many sites.
2. The user types his Login ID and password and submits the request to the server. On the server authentication is done by an ASP script, say Myhome.asp, that presents the user with the first page after login, say Myhome.asp.
3. The user browses a number of intermediate pages on the site; say page2.asp, page3.asp, etc.
4. After the user has completed his transactions and finished browsing, he finally clicks on the “Sign Out” button. The logout page, say logout.asp, is invoked which logs off the user. After the logout.asp is displayed on the browser, assume the user leaves the machine without closing the browser window.
5. If a bad guy has access to the same machine as the user, he can see that a logout page is displayed on a browser window.
6. He clicks on the back button drop down list and identifies the page immediately after login – here Myhome.asp. He clicks on the drop down list corresponding to the Myhome.asp page and is displayed the “Warning: Page has Expired” error page that we have seen many a times.
7. At this point the bad guy starts a browser proxy1 and configures the browser to go through the proxy.
8. On the error page he clicks the refresh button. A pop up warns the user that some of the variables are to be reposted in order for the page to be displayed and asks the user if he wants to continue or not. The bad guy clicks yes.
9. The bad guy views the request sent from the browser to the server in a browser proxy. He is able to see the username and password of the user. He now has complete knowledge of user credentials and hence complete control over the account.
Posts
0 Comments:
Post a Comment