OWASP Browser’s “Refresh” Browsers store Headers, ‘POST’ variables sent to web server while fetching a page When a ‘Refresh’ button is clicked, the request to load the current page is re-submitted to server.
OWASP Pre-requisite User leaves the browser window open Adversary gets physical access to the machine.
OWASP Step 1: Bob logged out of the application but did not close the browser. You have been logged You have been successfully logged out.
OWASP Step 2: Alice gains access to his machine. She clicks ‘Back’ button on the browser till she reaches the immediate page after login
OWASP Step 3: Alice clicks ‘Refresh’ button to load this page
OWASP Step4: Alice clicks ‘Retry’ on the pop up by browser and she gets logged in as BOB
OWASP Step 5: Alice intercepts this request with the web proxy, she is able to see Bob’s username & password
OWASP Solutions Introduce an intermediate page Use salted hash technique
OWASP Under the hood www.website.com/Myhome.asp POST Login ID+Password www.website.com/Myhome.asp POST Login ID+Password BrowserServer Intercept Myhome.asp authenticates the user and is displayed to user Login.asp Myhome.asp
OWASP Intermediate Page Solution Redirect to Myhome.asp POST Login ID+Password Get Myhome.asp Browser Server Intercept www.website.com/Myhome.asp Get Myhome.asp Authentication.asp Verify the authentication token and serve the Myhome.asp page Set an authentication token Verifies the authentication token and invalidates the request Login.asp Authenticates the user and assigns session token Myhome.asp
OWASP Two ways Through the application “Remember my login” option Saves a special cookie Through the built-in feature of the browser Browser stores username-password on hard drive at particular locations
OWASP Pre-requisite User activates features to remember login credentials. Adversary gets physical access to the machine.
OWASP The Attack - App. feature Step 1: Bob logged out of application and closed the browser too. Step 2: Alice gains access to his machine. She - views cookie file in the local machine. - She uses login credentials to log into the application OR - She overwrites her authentication token with Bob’s token in her cookie file at her system.
OWASP The Attack – Browser feature Bob turned IE/firefox browser to save password
OWASP Firefox user - Bob had turned firefox browser to save password through ‘Remember passwords’
OWASP While logging to the application the browser prompted with a dialog to save password and Bob chose “Yes”
OWASP Step1: Alice gains access to his machine. She retrieves the password from the stored location. Alice clicks FireFox- Alice can view Bob’s password in clear text!
OWASP IE stores them encrypted… Location : HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Intelliforms\SPW Alice can still retrieve Bob’s password