New Hax can attack any Website !
August 13, 2010
What is Proxy Content Injection ?
Use a proxy process to intercept requests sent to any target website.
Use a tool that allows the incoming content to be dynamically replaced. For instance, a files called xxxxx.js could be replaced by a local copy of this file with some modifications.
The modified content is then used as-if it is authentic thus allowing the attacker to make specific changes to the way the system is being used.
For instance, let’s assume the target site provides access to specific materials sitting behind a username/password controlled by a client-side cookie.
The Proxy fetches the content. The attacker makes specific changes to spoof the system into believing the user is logged-in. Assuming the server is not paying attention to the details this might work. The user then gains access to the areas of the site not otherwise accessible.
Any Site is Vulnerable !
Your Bank’s Mobile Banking site is vulnerable !
Government sites are vulnerable !
Site that make silly assumptions about client-side cookies are vulnerable !
Client-Side cookies can be easily read and dissected for valuable information about how to spoof user access !
Whole sites can be spoofed in real-time, for instance, PayPal.Com can be spoofed as PayPal.Net or PayPals.Com where the spoofed site will look exactly like the real site except for certain changes that result in user data being compromised.
Much of the Internet is a House of Cards !
Immature and inexperienced developers are being hired left any right by Corporate America. These developers lack sufficient skill and experience to cover all the bases and they tend to make silly assumptions all the time. It is those silly assumptions that can be exploited just by gaining access to the DOM with the ability to change the content being served.
Corporate America loves to save money by hiring young inexperienced web developers who just cannot grasp the complexities of the Internet – this is where that silly SQL Injection problem came from – silly inexperienced web developers who lacked the experience to know they were producing flawed systems and all the while Upper Management in Corporate America drank the juice and hired yet more inexperienced web developers. SQL Injection was always easy to avoid ! Just stop using SQL in a manner that allows people to hack their way into your database – Duh ! For instance, use an ORM ! Object Relational Mapper… What’s that ? Exactly ! Most young an inexperienced web developers might know something about SQL but they probably know nothing about how to use an ORM. ORMs act as an insulation layer between the user and the backend database. The end user cannot affect the database in any way when the application code is not producing the SQL directly.
Corporate America loves to buy into a whole set of ridiculous assumptions and their sites are ripe targets just waiting for someone to come along and build some slick tool that can ride into their backend systems on that same road to hell that is paved by good intentions.
Corporate America is infected with a far more perverse form of malware that any hacker could ever produce. Corporate America is infected with apathy and lack of trust in their senior developers as well as a lack of desire to reward excellence. Corporate America would rather reward sloth and call it excellence than to actually seek-out and reward those who are truly excellent at what they do. Why hire one excellent developer when you can just as easily hire 2 or 3 inexperienced developers who can do the same job, right ? Wrong ! One excellent senior developer is worth a dozen inexperienced developers who absolutely cost more in the long run.
Get a grip, you cannot produce secure systems by taking the easy way out !
Security & Fixes
Web developers would have to perform sanity checks on the client-side cookie contents or cease using client-side cookies in favor of server-side cookies.
Sanity checks would ensure the user is really logged-in rather than blindly trusting the cookie values.
Other security measures could be developed once the tools exist to simulate this level of attack.
Sites could be made more secure by using Flex or Flash since the content can be encrypted and secured making it much more difficult for an attacker to hack the system from the inside.
The tools are on the way to help web developers test their sites to make sure their sites are secure from this level of attack. See Vyper Logix Corp for more and to support their efforts to make these valuable tools available.