[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    [WEB SECURITY] Remote login with using of Clickjacking
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2011-10-29 20:55:09
Message-ID: 00f501cc967d$17446b20$9b7a6fd5 () ml
[Download RAW message or body]

Hello participants of Mailing List.

In April I wrote the article Attacks on unprotected login forms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html),
English version of which I've presented in the list. And last week I've
wrote the article Remote login with using of Clickjacking
(http://websecurity.com.ua/5447/), which is continuation of previous
article. And here is English version of it for you.

In the article Attacks on unprotected login forms I've told about a lot of
attacks on login forms (it was such anthology of attacks on authentication
forms). Particularly I've wrote about CSRF attack, which I called "remote
login", which can be used for conducting directly different attacks (such as
XSS and URL Redirector Abuse) and as first step in multi-step attacks, when
remote login is doing for later conducting of attacks on XSS, CSRF and other
vulnerabilities in user account or admin panel (so called post-auth holes).

And as I wrote earlier, millions of web sites, many engines and different
devices with web interface (such as routers, modems and others) are now
vulnerable for such attacks. Approximately 99% of web applications with
login forms have no protection against remote login (CSRF) attacks on their
login forms. But there are some webapps, which have some protections, such
as tokens. Which protect from CSRF attacks, but which can be easily bypassed
to conduct remote login. I saw such webapps few times earlier and after I've
found in October new web applications with such protection, I've crated this
method to bypass it (and also found one webapp which has reliable
protection), which I've told about in my article.

Common scheme of attack, which I've meant in above-mentioned article and
which I've showed on example of many holes in different web applications -
such as MyBB
(http://dl.packetstormsecurity.net/1105-advisories/mybb163-xss.txt) or
control panel of ADSL modem Callisto 821+
(http://dl.packetstormsecurity.net/1105-advisories/callisto-bruteforce.txt)
- it's when login and password on a site are known. I.e. when there is open
registration on a site, so it's possible to create an account and use it for
such attack, or when login and password are known, but there is binding to
IP, or attack is conducting from Internet to LAN (via user's browser).

But if developers made protection against CSRF on login form (tokens or
referrer checking), then it'll be not possible to make remote login. But
last week I've created method how to bypass this protection and to conduct
remote login. Including with help of this method it's possible to conduct
remote logins on accounts, which logins and passwords are not known.

My method propose to use Clickjacking and Password Manager in browsers.
Password managers are using for a long time - from the end of 90s. And all
modern browsers have such password managers, which remember passwords and
place them in authentication forms at the sites. It's only needed to conduct
Clickjacking attack on login form, in which browser will place login and
password (if user saved it, and it's useful functionality and a lot of
people use it), to conduct remote login.

At that there is no need to know login and password (because the browser
knows them and placed them by itself) and any protections against
CSRF-attacks (such as tokens and referrer checking) in authentication form
will not help. Because they will be bypassed by user himself, which will
make a click in result of conducting of Clickjacking attack and will enter
in his account.

So due to method of remote login with using of Clickjacking the old
recommendation concerning protection against CSRF - logout from the account
just after finishing of the work - already is not actual. Because this
protective approach is bypassing by this method. Reliable protection, which
will help against this attack, as in other cases (which I've wrote about in
above-mentioned article) - it's using of the captcha.

One from known popular web applications, which has protection against
Clickjacking attack (including in login form) - it's phpMyAdmin. There was
protection against this attack already in version phpMyAdmin 2.11.11.
Particularly developers of phpMyAdmin used frame-buster method in login
form. And in phpMyAdmin 3.3.0 and above, beside it there is also using
X-Frame-Options header inside admin panel.

Best wishes & regards,
MustLive
http://soundcloud.com/mustlive 



_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic