Ron Auger sent an email to the [WASC Mail list] on some fine work presented recently by Microsoft Research. The paper (and accompanying PPT), titled [Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments] is pretty cool and shows several techniques for a malicious inline proxy to sniff SSL sessions passing through the proxy. Its genuinely a bunch of cool findings and has been handled neatly (with the exception of some shocking clipart!).

The attack logic is fairly simple. User tries to browse to https://mybank.com. The browser sends a connect message to the proxy. The proxy returns an HTTP 502 proxy error message. The magic comes in here. The browser interprets the returned 502 message within the security context of https://mybank.com.

So the attack works as follows:

1. User tries to browse to https://mybank.com.
2. Browser sends connect message to evil-proxy.
3. Evil-proxy sends back a 502 message, with evil-Javascript and opens an iframe to https://mybank.com.
4. Evil-proxy lets the request go to https://mybank.com and the page loads in the users browser.
5. Evil-Javascript is now running in the same context as the banking session, so it has full access to page..

With a little more arm bending the paper even goes on to remove the neccessity of full control of an evil proxy, relying on an attacker on the local network sniffing traffic and then racing the valid proxy server..

The findings have been disclosed to the browser vendors and have already been remediated, which means we can collectively breath a sigh of relief, but clearly, it has not been a good year for SSL (and SSL implementations).

Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our Vegas talk, but im not really sure how his attack differs from our published one..

my on-list response:

-snip-
From: haroon meer 
To: bugtraq@cgisecurity.net
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Performing Distributed Brute Forcing of CSRF
vulnerable login pages


Hi Robert..
Thanks for the kind words on the talk.. If you check out the visio at:
http://www.sensepost.com/blogstatic/2007/08/dxsrt.png you will see that
its pretty much the same attack..
In a shameless display of self-pimpage, check out the paper
http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf 
from page 12.. Figure 23 for example shows the results in a
victim/zombies browser, after he has visited our page.. Effectively he
tries the userlist we send him (in this case on a standard squirrelmail
login page). Once he detects a timing diff (again using a trivial
algorithm to avoid latency disparity) he simply makes another request to
the attacker to report his success..
We do give the important pieces of the script in the paper, but i
suspect anyone with 2 minutes of time could have cobbled them together
anyway..
/mh
-snip-

ok.. so im in my room finally catching up on sleep (or will be in a few minutes) while most people are finishing Microsofts booze at the PURE microsoft party.. BlackHat is over, which means tomorrow we are off to the riviera for defcon..

Marco and i got a lot of positive feedback from our talk, including from guys like rob auger of wasc fame and andrew bortz who we quote in our paper, so it was pretty cool.. all our demos went of smoothly (where one of them was using javascript (and timing) to create a distributed brute-forcing tool, which had every opportunity to go south) so we were happy..

Most of the SensePost'ers have been making notes so they can blog on talks they attended.. this will filter through in the next few days.. I caught the Erratasec talk this morning, and have a few thoughts, but ill wait till i have time to actually comment properly..

Last night we found a patch of parking lot to have the first SensePost vs. BlackHat crew (.za vs USA?) Soccer/Football game.. We started off being kicked outa the Palace Ballroom and ended up on a patch of ground outside but it ended up being awesome.. Ultimately, Bradley, Charl, Marco, Nick and I ended up taking on Grifter, DedHed, Joe Grand, Dave, and Chris(?)  while j0hnny long was official photographer..

It was all around awesomeness and probably the most fun i personally had in vegas in a while..

We promised to upload one of the tools we demo'd during the talk, so ill do that in a few minutes..

/mh