Session hijacking usually requires XSS vulnerability (or MITM attack). But what to do when there is none? Of course, we might trick the user with UI Redressing!
Yesterday I presented a new way to trigger content extraction. Being UI redressing vector, it requires user intervention, this time tricking user to copy & paste some text through his clipboard to solve a kind of CAPTCHA challenge. Today we'll make a real life example of using this method.
RequirementsFake captcha has some advantages over 'drag & drop hidden page source', however attacker has to:
- find a page with certain CAPTCHA-like text
- the text had to be at exact line / column position in HTML source
- the page source had to contain something relevant for further attack (user id, session id, password text etc.)
- only one line could get copied/pasted
Looks too limiting?
Let's make this easier
We might be able to meet the requirements, when we consider this:
- CAPTCHA might be reflected (the attacker controls the URL to display) - so e.g. search results page would be a good candidate
- if attacker is able to store anything on the target domain (e.g. his profile data on a social network site), maybe he can direct the user to the page with that data?
- CAPTCHA might be e.g. account id for Google Analytics or other services website is using
- sometimes websites compress the HTML source to conserve bandwidth, stripping all whitespaces, including newlines. So all the web page is on a single line - no line positioning and attacker gets full HTML source in the clipboard!
Think big!UI redressing requires user intervention, and that is its weak point. After all, users might not use the clipboard, might just ignore the trap set for them etc.
Sometimes just a single user tricked is enough, but usually attacker needs several victims. The bigger the site, the better (more potential victims). What if you have a pretty big target? Is Alexa top 200 enough? Let's see. Let me introduce:
Imgur.com session hijacking
This is an example of using the fake captcha content extraction to hijack the session of logged in imgur.com user.
What is happening:
- Exploit detects if user runs Firefox (the only vulnerable browser) and if he is logged in to imgur.com (with iframe scrolling position method). If not - it aborts.
- Fake form is displayed. One of the fields, the 'security code' is actually part of Google AdSense used by imgur:
- At http://imgur.com?flash this code is always (at least for a few days) at the same HTML position (at least for Firefox). There were differences for other pages
- http://imgur.com?flash also has some nice content:
<form method="post" id="uploadform" enctype="multipart/form-data" action="/upload"> <input id="sid" name="UPLOAD_IDENTIFIER" type="hidden" value="tfm4m79nrb98e3hb0u0sc2aki2" />This UPLOAD_IDENTIFIER is a session cookie value :) Remember, imgur - Using httpOnly cookies only makes sense if you don't repeat them in HTML!
- To make the exploit easy, I used the API reachable at api.imgur.com that has the nice feature of letting me authenticate with simply passing the cookie from main site.