Tuesday, March 15, 2011

Misdirection 3

EPISODE 3


We suspected the vulnerability could be the result of a compromised redirect or forward from the site.

Turns out it is a classic case of :

First, we reviewed the code for all uses of redirects or forwards (called a transfer in .NET). Next, for each use, we identified if the target URL was included in any parameter values.  In some cases it was, but there was validation in place to ensure that the value was a valid site.

Not giving up on the idea, we spidered the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). We looked at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. That is where we found the bug. In one case we were able to change the target and observed that the redirect would allow us to redirect to any site of our choosing.

See, web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Now, without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

We contacted the website operator, but they were unaware that these sorts of attacks could even happen.    

How To Prevent Unvalidated Redirects and Forwards?

Safe use of redirects and forwards can be done in a number of ways:
1. Simply avoid using redirects and forwards.
2. If used, don’t involve user parameters in calculating the destination. This can usually be done.
3. If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user.

It is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL.  Applications can use ESAPI to override the sendRedirect() method to make sure all redirect destinations are safe. Avoiding such flaws is extremely important as they are a favorite target of phishers trying to gain the user’s trust.

Forensics and log analysis.

Finally, after getting in touch with the website operator we were able to begin a forensics investigation.  We look at the logs for the application and looked for the signature of the exploit.  Our search led us to an IP address from the lower east side of the city.  Looks like it could be your man.



Great work!  I will get in contact with Ms. Sheraton.

I called Ms. Sheraton back and explained what had happened.  The police were able to trace the attack to a specific person who they now had in custody.  Case closed.
Oh, Thank You, Mr. Failsafe.



Monday, February 14, 2011

Misdirection 2

EPISODE 2

It was about half-past five (5:30PM) when she appeared in my doorway.  She was tall, dressed to the nines, and had a look that could drop packets.

She entered the room quickly -- as though she didn't want anyone to see her.



"Hello?" she said.


"Good evening, ma'am.  What can I do for you?" I asked.


"I need some help." she began, "I need someone who knows computers."


"I know a little something" I said


"..but they must be able to keep things private." she warned.

"I'm as private as 10.0.0.1, lady." I assured her. "What can I help you with?"

"I made a number of purchases online.  Afterwards someone stole a large sum of money from my account."

"I'm sorry to hear about that ma'am.  Do you mind if I ask you a couple of questions?"


"I suppose not.  That is why I'm here."


"Okay.  Where did you go online?"


"Well, I went to the Bottega Ricco website."


"What?"  I interrupted.  "That high-end joint downtown?  Wow, you really do have some expensive taste, lady."


She shot him an icy look,  "Uh, right.  Sorry.  Bottega Ricco.  Go on."


"... and I watched a couple of movies on Netflix.  That's about it.  Oh, wait.  I also purchased some cosmetics."


"What did you purchase , ma'am?  And what was the name of the website?"


"I purchased some hand-made, organic, lipstick from a site a friend recommended -- LavishCosmetics.com."



"I see.  One last thing, what is your name ma'am?"


"Sheraton." she replied, "Vienna Sheraton."


"Alight, Ms. Sheraton.  My name is Joe Failsafe.  I'll take your case and let you know what I find out.


"Thank you, Mr. Failsafe."

The following afternoon I checked the websites that Ms. Sheraton provided.  First I called Bottega Ricco, a high-class clothing joint downtown.  I spoke with a Mr. Delicato who show me how they handle data and credit card information and assured me that they followed industry best practices.

The most likely source for trouble had to be that cosmetics website that Sheraton went to.  Upon inspecting the site, I began to suspect that that was where the crime occurred.

I'd seen this kind of thing before, and I knew just who to call.

Monday, February 07, 2011

Misdirection


EPISODE 1

The night was cold and dank.  One of those nights where the mist from the man-hole covers creates a fog that rolls down the street and smells like unseated memory chips.  Nothing was moving, and nobody was around.  The intersection was completely vacant.  During the day this place is busy with bustling vehicle and pedestrian traffic, but at night it is strikingly empty.

Only the solitaire, cool, beeping of an ATM could be heard, as its user finished his transaction.  It was late, or early depending on how you look at it.  He still had five more credit cards to cash-out before midnight.  See, midnight was special.  That is the time when the bank reset it's withdraw limits.  If he makes his withdraws before and after midnight he can steal twice as much dough.

"I can't believe how easy this is." he thought, stuffing the cash from the last transaction into his coat pocket.

He smirked and then fumbled through the remaining stack of cards he had programmed that night.  People don't realize that the information stored on a credit card is not encrypted.  So, all someone needs is a magnetic card writer, a list of card numbers, and a bit of free time.

He took the next card and nudged it into the ATM.
"8-6-6-3" he pressed on the keyboard.  
The number made him smile.  That was the same number he had used all night.
"Kevin Mitnick's birthday," he snickered.
"bleeep."

"Insufficient funds?"  He thought.  
But, he had been making withdraws of $100 dollars all night?
"Check Available Balance" he pushed into the keyboard.  
"Bleep-bleep-bleep." the machine groaned.
"You have $47.09 funds available."  
"Huh?  Must have burned that one up." he concluded.