Joachim Breitner

Like XSS, just simpler and harder to prevent: The Cross Site Auth (XSA) Attack

Published 2005-07-12 in sections English, Digital World.

I just thought of a - AFAIK - new way to steal passwords from not totally careful users. While XSS relies on somehow smuggling script code in the attacked web presence. But for this Cross-Side-Auth-Attack (I just call it XSA), you just need to have the attacked site display an image on an attacker controlled server. This is usually extremly easy, most web forums allow that, a lot of web services like e-bay and probably most webmails with HTML support.

All you have to do is have the referenced image in a directory that is protected by HTTP Auth. The user's browser will load the real HTML page, see the image url, try to load it, get a Authentication Needed reply header, and display the user the login dialogue. The user might think it is his web service requesting his password for some reason, and enter his precious credentials. These are sent to the attacker's server. There, those are stored by the server says that the authentication succeeded and show - totally unsuspicously - the image.

The dialogue displayed by the browser contains (at least here, Galeon, which is a mozilla based browser, but probably in other browsers too) just a freely chooseable text and the domain that is requestion authentication. An aware user might spot the different domain here, but if prepared carefully (www-ebay.com.xy), a sufficient amount of users won't notice. The text might explain the "sudden" login request, for example "Server restarted. Please log in again".

I set up an simple example page on http://people.debian.org/~nomeata/xsa-sample.html that loads an image from nomeata.de. The password you enter will be readable by my own server, altough everything looks as if you are on people.debian.org. Note that I did not try to feign the URL. Also note that my webserver uses /dev/null as the user file, so no matter what you enter, the login will fail, and no picture can be displayed (there is none at all).

How can we protect us from that threat? First aid is to carefully read the messages the browser gives you. In the long run, the browsers should add a obvious warning when an embedded object in a site that is stored somewhere else requires authentication. Someone should also check if it is possible, for example with weird unicode trickt, to actually have the browser show an arbitary domain in the login window. Webservices can protect themselves only by disallowing non-local images, and if that is not an option, to load these files once and serve them locally.

I hope that this posts leads to a fruitful discussion, and not to a wave of new password phishing attacks.

Update: I just checked Opera and Mozilla, both on Debian. Mozillas dialgue is the worst, with the domain at the end of a long line, this probably not read by the anaware user. Opera's diaglogue is so far the best: The domain is first, a very readable table, so to fool the user, you probably have to pull a good "similar looking domain" trick. BTW: Swimming in the sea is great, and the water is surprisingly warm, at 1:30am, in Helsinki.

Update: The example page I set up now actually accepts logins and save the logins to a log, the code to do that is very simple. (it is a 19-line mod_perl apache authentication module). I also use a nice icon from the Gnome project as the image.

Comments

<strong>Trackback:</strong> <a href="http://www.withouthat.org/drupal/node/28">Neue Art von Cross Site Scripting?</a><br /><p>Joachim Breitner schreibt in seinem <a href="http://www.joachim-breitner.de/blog/archives/56">Blog</a> über eine neue Art von Cross Site Scripting, die er Cross Auth Scripting nennt.</p>
<p>Man nehme: Eine Webseite, die HTTP AUTH verwendet, und auf de
#1 withouthat.org (Homepage) am 2005-07-14
<strong>Trackback:</strong> <a href="http://joachim-breitner.de/blog/archives/84-Erste-Schritte-im-Journalismus.html">Erste Schritte im Journalismus</a><br />
Auf Seite 102 des neusten Linux-Magazins findet sich ein Artikel über die Cross-Site-Authentication-Attacke, über deren theoretische Möglichkeit erstmals hier im Blog berichtet wurde. Da die Resonanz recht gering war - zwei andere Blogs schreiben darübe
#2 nomeata's mind shares (Homepage) am 2005-09-06
hi joachim,

ich habe deinen Artikel im Linux-Magazin gelesen und war wirklich sehr beeindruckt.
Finde es nur schade, dass sich mit diesem Problem anscheinend nicht sehr viele Leute
auseinander setzen möchten. Wenn es Dir recht ist, würde ich gerne einen Artikel dazu in die Wikipedia setzen um wenigstens
einigen Interessierten die Möglichkeit zu geben sich zu informieren.

Wenn Du Zeit und Lust hast, kannst Du mir ja eine Email zukommen lassen.

Gruß Markus
#3 Markus am 2005-09-17
Es gibt inzwischen einen Wikipedia-Artikel dazu: http://de.wikipedia.org/wiki/Cross-Site_Authentication
#4 nomeata (Homepage) am 2005-10-05
<strong>Trackback:</strong> <a href="http://joachim-breitner.de/blog/archives/108-International-Journalsim-and-me.html">International Journalsim and me</a><br />
Sounds good, doesn&#8217;t it? And feels good, too: My article on the Cross-Site-Authentication Attack in the German Linux-Magazin (as previously blogged about) was chosen for translation and appeared in the world wide Linux Magazine, reaching audiences
#5 nomeata's mind shares (Homepage) am 2005-10-25
<strong>Trackback:</strong> <a href="http://www.lethargy.de/?p=24">Cross Site Auth (XSA) Attack</a><br /> &#8220;Als Cross-Site Authentication (kurz: XSA) bezeichnet man eine Computersicherheitslücke mit der ein Angreifer fremde Passwörter ausspionieren kann.&#8221; Wikipedia

So beschrieb Joachim Breitner letztes Jahr in seinem
Blog eine Methode, um i...
#6 lethargy.de (Homepage) am 2006-03-05
<strong>Trackback:</strong> <a href="http://www.joachim-breitner.de/blog/archives/147-XSA-Article-available-online.html">XSA-Article available online</a><br />
Just a quick follow up on my Cross-Site-Authentication Attack: My article for the German Linux Magazin which was translated for its English counterpart Linux Magazine is now available online. I&#8217;m still waiting for the German version to be opened u
#7 nomeata's mind shares (Homepage) am 2006-06-14
Hi! Die Verlinkung zu Wikipedia ist seit einiger Zeit gegeben. - Nur wäre es dann ganz nett, wenn das Beispiel auch noch funktionieren würde (broken links und keine auth) ;)
#8 Thomas am 2007-09-25
Fixed it. It got lost during the apache1 → apache2 migration.
#9 Joachim Breitner (Homepage) am 2007-09-25
And fixed again, now as a plain CGI script.
#10 Joachim Breitner (Homepage) am 2011-03-08

Have something to say? You can post a comment by sending an e-Mail to me at <mail@joachim-breitner.de>, and I will include it here.