Browser Sessions Trick Can Hack Encrypted Webservers

BlackHat¹ videos are up now…

Specifically HEIST video²  – Http Encrypted Information can be Stolen through TCP windows

By Tom Van Goethem & Mathy Vanhoef Belgian researchers

heist

The technical video about how a browser session can attack a server which attempts to prevent an attack using a token. The aspects of the encryption defense (CSRF token) is eventually guessed and this is then used to attack the server and take control of it.

A warning given here – this explanation is not for faint of heart and may not have a definitive defense due to the nature of the technology.

 

When a client attempts to access a server:

The response from a client browser asking a server for data.   It depends on the applications running.

The key is for the request to be small-response i.e.  to be small enough.

 

 

The coming attack takes advantage of how HTTPS works version 1.1 as well as HTTP2.0³ (by using parallel resource fetching as 2.0 allows).

The actual paper(4) (in pdf format) from the researchers.

Once the connection is established (client – server) then the information is encrypted(in https).

The trick to guess the token is to start with an initial response of 10 packets without acknowledgement until the acknowledgement and more packets are sent and acknowledged up to 29 packets.

(as a way to illustrate the researchers set up the client as “snuffles” and “bugs bunny” as the server)

heist-respond-encrypt10packets

So then a small resource will be fetched eventually as parallel resource requests are asked using a special program written to attack the server. Once the side channel server contact is made a guess is made to all of the characters of the CSRF token, and after the CSRF token is completely guessed the server is ready to be attacked and taken over using compression or breach attacks.

The following image is I believe the crux of the attack ‘guess’.

csrf-tokenattack

 

The next image discusses the details of how the guess is performed by using cross site requests and guessing the content of the CSRF token, if you really want to learn the details of this attack I recommend to watch the video and read the paper, but this is not for a standard script kiddie. Only a good programmer will be able to figure out how to code an attack that can take over most servers that use encryption CSRF tokens

heist-fetchingsmallreseource

 

 

A CSRF explanation of CSRF Cross-Site Request Forgery – (5) tokens are there to prevent attacks such as these but if a wily programmer is able to guess the token an additional  attack will make all your defenses mute.

Now what? Attackers and defenders are going to have to re-evaluate their webserver encryption setups.

Contact me for another opinion

 

  1. https://www.youtube.com/channel/UCJ6q9Ie29ajGqKApbLqfBOg
  2. https://www.youtube.com/watch?v=GwQsu8dGSeA
  3. https://kinsta.com/learn/what-is-http2/#what_is_http2
  4. https://tom.vg/papers/heist_blackhat2016.pdf
  5. http://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.