This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Ahamed Nafeez.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Proxpective: Attacking Web Proxies like never before
2. About me
Software Security Engineer
Defending & building secure stuff is more fun.
Been talking about stuff that break the web @
BlackHat, HITB, Nullcon, C0c0n
6. How does a web based
proxy work?
1. User requests site.com inside the Web Proxy
page.
2. The Proxy downloads the web content and
pushes its own HTML alongside the
downloaded content.
3. User finally gets to see site.com under the Web
Proxy page.
7. Why use web proxies?
Widely used for anonymous surfing and identity
cloaking on the Internet.
Also used in traffic filtering, traffic management,
log auditing, access policies and surfing
restricted sites.
8. Past attacks on web proxies
De-anonymization, exfiltrating data, logs …
Usually revolves around, the Proxy itself being malicious.
9. Those are old threats
Lets talk about owning an user when he is ready to
click on links!
20. Do not allow other websites to directly control your
proxified URL
21. Proxy Hot-linking
This feature prevents users from hot-linking
directly to a proxied page and forces all users to
visit the index page first.
22. Proxy Hot-linking
This feature is like the achilles-heel of any web
proxy security.
If any website can directly get themselves being
IFRAME + Proxied by a web proxy then attacks
like the SOP bypass and other attacks are easily
possible.
28. The bypass
Just add the whitelisted name to the path of your
referrer.
Just do a location.reload() from,
http://attacker.com/localhost/
http://attacker.com/whitelisted-domain/
29. Practical aspects
What if the target website prevents IFraming using
X-Frame-options?
What if the target website has set httpOnly
cookies?
30. True Story
Web based proxies don’t respect target website’s
HTTP Response Headers!
Web based proxies have their own Cookie Jar
implementation.
34. Cookie Jars on Proxy
Proxies under-estimate the complexity of Cookie
management.
Things like various cookie flags, handling of
secure channels, limit of cookies etc
36. They work by searching for Javascript patterns
and possibly removing them.
They cannot completely disable Javascript
because they are not the same as browser!
37. For a web attacker, this situation is like a XSS filter
bypass.
38. Most proxies don’t restrict
JS execution from
SVG, Complex JS Event handlers.
An attacker can also send chunked encoded
responses.
39. A certain bypass
//inputHTML = ‘<img src=“PLACEHOLDER”>’;
input = filterChars(input); // Filters ‘, “
final = inputHTML.replace(PLACEHOLDER, input)
document.write(final);
42. Little bit of EcmaScript 5
helps as well!
Overriding and Freezing DOM properties using
ES5 Object locking mechanisms to completely
subvert any defences placed by the proxied
website against Proxy based attacks.
43. Proxies should adopt CSP
Content security policy helps extensively in locking
down proxy based attacks, since its enforced by
the browser.