This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Ahamed Nafeez. technology.inmobi.com/events/null-owasp-g4h-december-meetup Proxpective: Attacking Web Proxies like never before

1. Proxpective: Attacking
Web Proxies like never
before
Ahamed Nafeez

2. About me
Software Security Engineer
Defending & building secure stuff is more fun.
Been talking about stuff that break the web @
BlackHat, HITB, Nullcon, C0c0n

3. Web Proxy

4. Our scope
Not the pure HTTP Proxies but Web-Based proxies.

6. How does a web based
proxy work?
1. User requests site.com inside the Web Proxy
page.
2. The Proxy downloads the web content and
pushes its own HTML alongside the
downloaded content.
3. User finally gets to see site.com under the Web
Proxy page.

7. Why use web proxies?
Widely used for anonymous surfing and identity
cloaking on the Internet.
Also used in traffic filtering, traffic management,
log auditing, access policies and surfing
restricted sites.

8. Past attacks on web proxies
De-anonymization, exfiltrating data, logs …
Usually revolves around, the Proxy itself being malicious.

9. Those are old threats
Lets talk about owning an user when he is ready to
click on links!

10. A little bit of theory first

11. Same origin policy (SOP)
Single most important security feature in the
browser.
Without this, we would have a world-wide XSS
havoc.

12. Universal XSS (uXSS)
Any flaw or un-intended feature in the browser, that
bypasses its Same Origin Policy.

13. Back to our web proxy story
All the websites being proxied comes under a
single trusted 'origin' from the browser's
perspective.

14. This also means any website can interact with the
DOM / Cookies of other proxied websites.

15. Bypassing the Proxy’s SOP

16. attacker.com IFrame’s the proxified site.com URL.
The user navigates to,
<iframe src=‘http://proxy.com/site?url=site.com’>

17. attacker.com gets hold of the iframe Window Object and
accesses its DOM.

18. At this point, the SOP is bypassed
a.k.a.
Game Over!

19. How do we solve this
problem?

20. Do not allow other websites to directly control your
proxified URL

21. Proxy Hot-linking
This feature prevents users from hot-linking
directly to a proxied page and forces all users to
visit the index page first.

22. Proxy Hot-linking
This feature is like the achilles-heel of any web
proxy security.
If any website can directly get themselves being
IFRAME + Proxied by a web proxy then attacks
like the SOP bypass and other attacks are easily
possible.

23. Glype Proxy Hot-Linking

24. Bypassing Hot-Linking in Glype

26. This checks for all the whitelisted websites in the Referer
If found, the hot-linking protection doesn’t apply to this!

27. Allowed Referrers
http://localhost
http://proxy-website-itself
And other whitelisted websites.

28. The bypass
Just add the whitelisted name to the path of your
referrer.
Just do a location.reload() from,
http://attacker.com/localhost/
http://attacker.com/whitelisted-domain/

29. Practical aspects
What if the target website prevents IFraming using
X-Frame-options?
What if the target website has set httpOnly
cookies?

30. True Story
Web based proxies don’t respect target website’s
HTTP Response Headers!
Web based proxies have their own Cookie Jar
implementation.

31. The X-Frame-Options Header won’t be replicated
back to the User’s browser.

32. Unsafe response rewrites
Messing around with security response headers
like X- Frame-Options, X-XSS-Protection, Content-
Security-Policy.

33. The proxies store the site cookies like this,

34. Cookie Jars on Proxy
Proxies under-estimate the complexity of Cookie
management.
Things like various cookie flags, handling of
secure channels, limit of cookies etc

35. Bypassing JavaScript restriction
Most proxies disable Javascript by default for a lot
of reasons.

36. They work by searching for Javascript patterns
and possibly removing them.
They cannot completely disable Javascript
because they are not the same as browser!

37. For a web attacker, this situation is like a XSS filter
bypass.

38. Most proxies don’t restrict
JS execution from
SVG, Complex JS Event handlers.
An attacker can also send chunked encoded
responses.

39. A certain bypass
//inputHTML = ‘<img src=“PLACEHOLDER”>’;
input = filterChars(input); // Filters ‘, “
final = inputHTML.replace(PLACEHOLDER, input)
document.write(final);

40. input = “$` onerror=alert(1)”;

41. EcmaScript’s String.replace
is funny!
http://www.ecma-international.org/ecma-262/5.1/#sec-15.5.4.11

42. Little bit of EcmaScript 5
helps as well!
Overriding and Freezing DOM properties using
ES5 Object locking mechanisms to completely
subvert any defences placed by the proxied
website against Proxy based attacks.

43. Proxies should adopt CSP
Content security policy helps extensively in locking
down proxy based attacks, since its enforced by
the browser.

44. Thanks!
@skeptic_fx