Hta t07-did-you-read-the-news-http-request-hijacking
-
Upload
- -
Category
Technology
-
view
340 -
download
0
description
Transcript of Hta t07-did-you-read-the-news-http-request-hijacking
![Page 1: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/1.jpg)
Session ID:
Session Classification: © 2013 Skycure
Yair Amit (@yairam) CTO & co-founder, Skycure
HTA-‐T07
DID YOU READ THE NEWS? HTTP REQUEST HIJACKING
Adi Sharabani (@adish) CEO & co-founder, Skycure
![Page 2: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/2.jpg)
#RSAC #Skycure
About the Presenters
▶ Yair Amit ▶ CTO & co-founder of
Skycure ▶ Web, network and mobile
researcher ▶ Inventor of 15+ patents ▶ Former manager of the
Application Security & Research group at IBM
▶ Adi Sharabani ▶ CEO & co-founder of
Skycure ▶ Watchfire's research group
[Acquired by IBM] ▶ Lead the security of IBM
software ▶ Teacher at Ohel Shem
high-school
![Page 3: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/3.jpg)
#RSAC #Skycure
Agenda
▶ Background ▶ The Skycure Journal ▶ HTTP Request Hijacking
▶ Demonstration
▶ Impact ▶ Extensions to the attack
▶ Malicious Profiles ▶ Captive Networks
▶ Remediation
![Page 4: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/4.jpg)
#RSAC #Skycure
Want to participate?
▶ Ever wanted to be an editor of a newspaper?
▶ Tweet with #skycure during this presentation
![Page 5: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/5.jpg)
#RSAC #Skycure
Man in the Middle Challenges
Temporal Cache Poisoning
HTTP
Sta>c JavaScript
SSLStrip
Persistent
Dynamic
HTTPS
Browsers
Specific User Ac>on Ac>ve Man in the Middle No Ac>on
Required
![Page 6: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/6.jpg)
#RSAC #Skycure
Man in the Middle Challenges
Browsers
Hybrid Mobile Apps
Na>ve Mobile Apps? Hybrid apps rely on a “browser” technology
Impact increases: Control is not just over the browser, but could “hop” to na>ve capabili>es
Can a dynamic aSack happen here?
![Page 7: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/7.jpg)
#RSAC
“We accept the reality of the world with which we are presented, it's as simple as that.”
- Christof, The Truman show
HTTP REQUEST HIJACKING
![Page 8: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/8.jpg)
#RSAC #Skycure
Native Mobile Apps
Request for content, command & control, configura>on, etc.
Response with the data
![Page 9: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/9.jpg)
#RSAC #Skycure
The Skycure Journal
▶ While very basic, The Skycure Journal operates in a similar way to most major news apps: ▶ Load A JSON formatted feed ▶ Parse it ▶ Display to the reader…
Code available at:
hSps://github.com/skycure/Skycure_news
![Page 10: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/10.jpg)
#RSAC #Skycure
Into the Code / Objective-C - (void)fetchArticles { NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"]; ! NSMutableURLRequest *request = ! [NSMutableURLRequest requestWithURL:serverUrl]; ! [request setValue:@"application/json” ! forHTTPHeaderField:@"Content-Type"]; self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self]; }
![Page 11: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/11.jpg)
#RSAC #Skycure
Let’s look at the actual network traffic...
HTTP Request Hijacking
![Page 12: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/12.jpg)
#RSAC #Skycure
HTTP Request Hijacking - (void)fetchArticles { NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"]; ! NSMutableURLRequest *request = ! [NSMutableURLRequest requestWithURL:serverUrl]; ! [request setValue:@"application/json” ! forHTTPHeaderField:@"Content-Type"]; self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self]; }
NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"]; ! NSMutableURLRequest *request = ! [NSMutableURLRequest requestWithURL:serverUrl];
NSURL *serverUrl = ! [NSURL URLWithString:@"http://attacker.site/skycureJournal"]; ! NSMutableURLRequest *request = ! [NSMutableURLRequest requestWithURL:serverUrl];
@"http://journal.skycure.com"
@"http://attacker.site/skycureJournal"
HTTP Request Hijacking
![Page 13: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/13.jpg)
#RSAC #Skycure
Question: How is that done?
HTTP Request Hijacking
Answer: Very simple!
![Page 14: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/14.jpg)
#RSAC #Skycure
RFC of 301 Moved Permanently
Source: RFC 2616 Fielding, et al
“10.3.2 301 Moved Permanently The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.”
![Page 15: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/15.jpg)
#RSAC #Skycure
301 Moved Permanently
▶ “If you need to change the URL of a page as it is shown in search engine results, we recommend that you use a server-side 301 redirect.” (Google help page)
▶ Usage examples: ▶ Moving to a new domain ▶ Merging two websites
▶ Useful for the web, bad for mobile apps
![Page 16: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/16.jpg)
#RSAC #Skycure
HRH – Attack Flow
Vic>m interacts with the malicious server
A while later, vic>m opens the app
App logic has changed!
ASacker returns a 301 direc>ve specifying a
permanent change in URI
Vic8m opens the app in an untrusted environment
App con>nues to connect to the malicious server!
Malicious server can return actual results from the target server
![Page 17: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/17.jpg)
#RSAC #Skycure
HTTP Request Hijacking
▶ Requests can be hijacked! ▶ Seamlessly ▶ Permanently
▶ App logic practically changes ▶ Hidden ▶ Hard to remove
![Page 18: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/18.jpg)
#RSAC #Skycure
This is where you get to dictate the news…
HRH - Demo
![Page 19: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/19.jpg)
#RSAC #Skycure
Impact - Example
![Page 20: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/20.jpg)
#RSAC #Skycure
Challenges [1-2] ▶ Some limitations:
▶ Attack is only effective on HTTP ▶ Attacker has to be nearby the victim
Answer: Malicious profiles!
![Page 21: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/21.jpg)
#RSAC #Skycure
Malicious Profiles
▶ Configuration profiles are a great mechanism to configure iOS devices
▶ However… they might be used for bad deeds: ▶ Tunnel all traffic through remote servers ▶ Install a root certificate
▶ Recently uncovered by Skycure
![Page 22: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/22.jpg)
#RSAC #Skycure
Malicious Profiles
Demo
![Page 23: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/23.jpg)
#RSAC #Skycure
HRH + Malicious profiles
▶ Impact ▶ HRH Extended to HTTPS ▶ HRH can be carried from a different continent
![Page 24: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/24.jpg)
#RSAC #Skycure
Challenge [3]
▶ Challenge: ▶ Victim has to open the vulnerable app in the malicious
network
Answer: Captive!
![Page 25: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/25.jpg)
#RSAC #Skycure
Captive to the Rescue
▶ Captive to the rescue: ▶ Victim auto-connects to a network
▶ Pineapple, WifiGate, etc.
▶ Attacker remotely opens an arbitrary application ▶ Vulnerable app gets infected
Demo
![Page 26: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/26.jpg)
#RSAC #Skycure
Putting it All Together
▶ Generalizing the attack: ▶ Automate an attack on a huge amount of people ▶ Plant malicious code today, perform the attack tomorrow
![Page 27: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/27.jpg)
#RSAC #Skycure
HRH-Persister – A Testing Tool
▶ Step 1 (Infect): ▶ Set up a proxy ▶ Open Tested app ▶ Return 301 for every GET request with an identification
▶ Identification could be a domain, sub-domain, path, etc. ▶ For the second “redirected” request, return the original
response
▶ Step 2 (detect): ▶ Close the Tested app ▶ Open it again ▶ Look for requests with the identification value
![Page 28: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/28.jpg)
#RSAC #Skycure
Vulnerable Apps
▶ We tested a bunch of high profile apps ▶ Almost half of them were susceptible to HRH
▶ Responsible disclosure challenge: we cannot identify and contact all affected vendors
![Page 29: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/29.jpg)
#RSAC #Skycure
Developers - Best Practice
▶ Communicate via HTTPS instead of HTTP: ▶ Highly recommended ▶ Effective mitigation, not a fix
![Page 30: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/30.jpg)
#RSAC #Skycure
Developers - Best Practice
▶ Caching helps with performance ▶ However, it could lead to security threats
▶ Refrain from using caching in critical logic of the application when not needed*
NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"]; ! NSMutableURLRequest *request = ! [NSMutableURLRequest requestWithURL:serverUrl! cachePolicy:NSURLRequestReloadIgnoringLocalAndRemoteCacheData! timeoutInterval:60.0];
![Page 31: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/31.jpg)
#RSAC #Skycure
Developers – Remediation
▶ Change your cache policies to prevent 301 caching ▶ Impact
▶ Practically, remove support for 301 handling in mobile applications
▶ In most cases this is a acceptable ▶ We are talking about apps. If the developer wants to move
to a new a page moves permanently, the developer can always update the app itself.
![Page 32: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/32.jpg)
#RSAC #Skycure
Developers – Remediation (cont.)
@implementation HRHResistantURLCache! !- (void) storeCachedResponse:(NSCachedURLResponse *)cachedResponse! forRequest:(NSURLRequest *)request!{ ! NSInteger statusCode = ! [(NSHTTPURLResponse *)cachedResponse.response statusCode]; !! if (301 == statusCode) ! {! return; ! } ! [super storeCachedResponse:cachedResponse forRequest:request];!} !@end !
@interface HRHResistantURLCache : NSURLCache @end
![Page 33: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/33.jpg)
#RSAC #Skycure
Developers – Remediation (cont.)
▶ Set the new cache policy to be used by the app ▶ Making sure you place the initialization code before
any request in your code.
HRHResistantURLCache *myCache = [[HRHResistantURLCache alloc] initWithMemoryCapacity:512000 diskCapacity:10000000 diskPath:@"MyCache.db"]; [NSURLCache setSharedURLCache:myCache]; !
Source: hSp://www.skycure.com/blog/hSp-‐request-‐hijacking/
![Page 34: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/34.jpg)
#RSAC #Skycure
End Users
▶ Let us know if you think you have been under attack ▶ Remove and reinstall app to ensure removal of the attack
▶ Always be sure to update your apps ▶ Especially in the near future ▶ Auto-update in iOS 7
![Page 35: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/35.jpg)
#RSAC #Skycure
Organizations/CISOs/IT
▶ Implement a mobile security tool that provides both visibility and protection for mobile related threats
![Page 36: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/36.jpg)
#RSAC #Skycure
Future work
▶ Research: ▶ 308, 302 + Cache-Control ▶ Other operating systems
▶ RFC: ▶ Create a mobile application specific RFC
![Page 37: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/37.jpg)
#RSAC #Skycure
Summary
Temporal Cache Poisoning
HTTP
Sta>c HRH
Malicious Profiles
Persistent
Dynamic
HTTPS
Na>ve Apps
Specific User Ac>on Cap>ve No Specific
Ac>on Required
![Page 38: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/38.jpg)
#RSAC #Skycure
Summary
▶ Tip of the iceberg ▶ App-level security
▶ Check out our blog for more information:
▶ http://www.skycure.com/blog/http-request-hijacking/
![Page 39: Hta t07-did-you-read-the-news-http-request-hijacking](https://reader033.fdocuments.us/reader033/viewer/2022051818/54c266ab4a7959ea068b456b/html5/thumbnails/39.jpg)
Thank you!
#RSAC
Yair Amit, Adi Sharabani Skycure
twitter: YairAmit, AdiSharabani
{yair,adi}@skycure.com http://www.skycure.com