OWASP Day IV•180 blog monitorati OWASP-Italy Day IV – 6th, Nov 09 OWASP 11 OWASP Top Ten
Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search)...
Transcript of Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search)...
![Page 1: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/1.jpg)
Cross-Site Search (XS-Search) AttacksHemi Leibowitz, OWASP AppSec IL 2015 1
![Page 2: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/2.jpg)
Work By:
Nethanel Gelernter:Head of the cyber research group at the Michlala LeMinhal.
Professor Amir Herzberg:Head of the Secure Communication and Computing (`Cyber`) group at Bar-Ilan University
2
![Page 3: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/3.jpg)
AGENDA
Extraction of private, sensitive data using cross-site
vulnerabilities via XS-Search attacks
➢ Who, what, how?
➢ Demo
➢ Conclusions
* All experiments were performed ethically
3
![Page 4: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/4.jpg)
VULNERABLE SITES AND DATA
And a lot more...
Mail content, contacts...
Structured information
Search history
Relationships
4
![Page 5: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/5.jpg)
EXAMPLE SCENARIO
GET / POST request to GmailBrowser receives the response and displays it
5
![Page 6: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/6.jpg)
Cross-Site Attacks
6
![Page 7: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/7.jpg)
XS-SEARCH: HIGH LEVEL VIEW
Response
GET/POST request
…<script>...
7
![Page 8: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/8.jpg)
XS-SEARCH: HIGH LEVEL VIEW
Response
GET/POST request
…<script>...
Allowed
8
![Page 9: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/9.jpg)
XS-SEARCH: HIGH LEVEL VIEW
Response
GET/POST request
…<script>...
SOP
9
![Page 10: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/10.jpg)
Timing Side ChannelWe can’t read the response, BUT - we can measure how long it took
10
![Page 11: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/11.jpg)
XS-SEARCH: HIGH LEVEL VIEW
Response
GET/POST request
…<script>...
{Time
11
![Page 12: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/12.jpg)
PROBLEMS
1. Noise -
a. Timing a response is inaccurate and influenced by
many factors (Internet connection, Browser etc.)
b. Very (very) short time differences between
responses (even long ones) - especially when heavily
compressed.
2. Small window of opportunity -
a. User visits the page for a short term only
b. Avoid detection mechanisms (anti-DoS)12
![Page 13: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/13.jpg)
“These XS-Search attacks
are impractical
13
![Page 14: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/14.jpg)
XS-SEARCH: BASIC FLOW
Dummy - request that yields a short (fast) response
q=in:sent&from:fdjakdhasd
Challenge - request that yields either long or short response
q=in:sent&from:Alice
14
![Page 15: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/15.jpg)
BASIC FLOW: ANSWER BOOLEAN QUESTIONS
T(Dummy) ≈ T(Challenge) ⇒ False
T(Dummy) ≪ T(Challenge) ⇒ True
15
![Page 16: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/16.jpg)
XS-SEARCH: BASIC FLOW
16
![Page 17: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/17.jpg)
XS-SEARCH: BASIC FLOW
Unknown response
GET q=in:sent&from:fdjakdhasd …<script>...
{T(Dummy) Empty response
GET q=in:sent&from:Alice
{T(Challenge) ?
17
![Page 18: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/18.jpg)
DEALING WITH THE PROBLEMS
➢ Dummy / Challenge pairs
➢ Statistical tests
➢ Inflation techniques
➢ Divide and Conquer algorithms
18
![Page 19: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/19.jpg)
STATISTICAL TESTS
Classical statistical hypothesis tests assume large samples.
In order to achieve good results using small samples:
➢ Ran each Dummy / Challenge pair a few times
➢ Tested and compared various statistical tests between
the distributions
Main observation: lower values give better indication
19
![Page 20: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/20.jpg)
INFLATION TECHNIQUES
Increase the difference of the response time
between empty and full response
➢ Response-length inflation
○ Query fields are copied to the response
➢ Compute-time inflation
20
![Page 21: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/21.jpg)
RESPONSE-LENGTH INFLATION
21
![Page 22: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/22.jpg)
COMPUTE-TIME INFLATION
➢ Abuses hard-to-compute ‘has not’ search terms
➢ Short circuit ‘empty’ queries
➢ Allows detection of information that appears only once!
22
![Page 23: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/23.jpg)
COMPUTE-TIME INFLATION
➢ Abuses hard-to-compute ‘has not’ search terms
➢ Short circuit ‘empty’ queries
➢ Allows detection of information that appears only once!
Dummy:
q=in:sent&from:fdjakdhasd&hasnot:{rjew+...+iqejh}
Challenge:
q=in:sent&from:Alice&hasnot:{rjew+...+iqejh}23
![Page 24: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/24.jpg)
EFFICIENT TERM IDENTIFICATION
Which of {T1, T2,…} appears in <data>?
Naïve solution: check one by one…
Three efficient divide and conquer algorithms:
➢ Multiple Terms Identification (MTI)
➢ Optimized Multiple Terms Identification (OMTI)
➢ Any Term Identification (ATI)
Each of them sends queries for conjunction of terms
from:michael+OR+dan+OR+.... Up to the URL limit24
![Page 25: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/25.jpg)
DEMO
25
![Page 26: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/26.jpg)
WHAT CAN WE EXPOSE WITH XS-SEARCH?
➢ Specific terms or from list of candidate terms
➢ By date, subject, folder, or other properties
➢ Structured information
○ Credit card numbers (xxxx-xxxx-xxxx-xxxx)
○ Phone numbers (xxx-xxxx-xxx)
26
![Page 27: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/27.jpg)
WHAT CAN WE EXPOSE WITH XS-SEARCH?
➢ Does the name of the user is Alice?
○ in:sent&from:alice
➢ Closely related to [email protected]?
○ [email protected]&st=100
➢ Is a client of SomeBank?
➢ Do have Bob as a friend in Google+?
○ from:bob&circle:friends
➢ Did Bob bcc Charlie about an amazing lecture?!
○ from:bob&bcc:charlie&after:2015/10/12+before:
2015/10/14&subject:amazing-xssearch-lecture27
![Page 28: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/28.jpg)
WHAT CAN WE EXPOSE WITH XS-SEARCH?
Credit card numbers (xxxx-xxxx-xxxx-xxxx)
➢ x ∈ {0,1...9} ⇒ 1016 =
10,000,000,000,000,000
But, using XS-Search we only need to reveal xxxx
➢ Only 104 (= 10,000) possibilities!28
![Page 29: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/29.jpg)
PREVENTING XS-SEARCH?
29
![Page 30: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/30.jpg)
PREVENTING XS-SEARCH?
Easy - prevent any cross-site request.
BUT…
Many services wish to allow cross-site requests.
These services can try to:
➢ Restrict: limit requests rate, inflation …
➢ Detect: anomalies, heuristics...30
![Page 32: Attacks (XS-Search) Cross-Site Search - OWASP · 2020. 1. 17. · Cross-Site Search (XS-Search) Attacks Hemi Leibowitz, OWASP AppSec IL 2015 1](https://reader033.fdocuments.in/reader033/viewer/2022051510/5ff67442e74e421cca278d6e/html5/thumbnails/32.jpg)
Credits
Special thanks to all the people who made and released these awesome resources for free:
▷ Presentation template by SlidesCarnival▷ Photographs by Unsplash
32