Manipulating Opaque Client-based Data Tokens |
| Attack Pattern ID: 39 (Standard Attack Pattern Completeness: Complete) | Typical Severity: Medium | Status: Draft |
DescriptionSummary
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
Attack Execution Flow
Enumerate information passed to client side:
The attacker identifies the parameters used as part of tokens to take business or security decisions
Attack Step Techniques
ID Attack Step Technique Description Environments -1 Use WebScarab to reveal hidden fields while browsing.
env-Web1 Use a sniffer to capture packets
env-ClientServer env-Peer2Peer env-CommProtocol2 View source of web page to find hidden fields
env-Web3 Examine URL to see if any opaque tokens are in it
env-Web4 Disassemble or decompile client-side application
env-ClientServer env-Peer2Peer5 Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc.
env-ClientServer env-Peer2PeerIndicators
ID type Indicator Description Environments 1 Positive Opaque hidden form fields in a web page
env-Web2 Positive Opaque session tokens/tickets
env-Web env-Peer2Peer env-ClientServer env-CommProtocol3 Positive Opaque protocol fields
env-ClientServer env-Peer2Peer env-CommProtocol4 Positive Opaque Resource Locator
env-Web env-Peer2Peer env-ClientServer env-CommProtocolOutcomes
ID type Outcome Description 1 Success At least one opaque client-side token found2 Failure No opaque client-side tokens foundDetermine protection mechanism for opaque token:
The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may may be obfuscated or a full blown encryption may be used.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Look for signs of well-known character encodings
env-Web env-ClientServer env-Peer2Peer env-CommProtocol2 Look for cryptographic signatures
env-Web env-ClientServer env-Peer2Peer env-CommProtocol3 Look for delimiters or other indicators of structure
env-Web env-ClientServer env-Peer2Peer env-CommProtocolIndicators
ID type Indicator Description Environments 1 Positive Standard signatures of well-known encodings detected
env-Web env-ClientServer env-Peer2Peer env-CommProtocol2 Positive Token or structural block's length being multiple of well-known block size of a cryptographic algorithm
env-Web env-ClientServer env-Peer2Peer env-CommProtocol3 Positive Clear structural boundaries or delimiters
env-Web env-ClientServer env-Peer2Peer env-CommProtocol4 Negative Failure outcome in previous step
env-Web env-ClientServer env-Peer2Peer env-CommProtocolOutcomes
ID type Outcome Description 1 Success Protection/encoding scheme identified2 Failure No information about protection/encoding scheme could not be determined
Modify parameter/token values:
Trying each parameter in turn, the attacker modifies the values
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Modify tokens logically
env-Web env-ClientServer env-Peer2Peer env-CommProtocol2 Modify tokens arithmetically
env-Web env-ClientServer env-Peer2Peer env-CommProtocol3 Modify tokens bitwise
env-Web env-ClientServer env-Peer2Peer env-CommProtocol4 Modify structural components of tokens
env-Web env-ClientServer env-Peer2Peer env-CommProtocol5 Modify order of parameters/tokens
env-Web env-ClientServer env-Peer2Peer env-CommProtocolIndicators
ID type Indicator Description Environments 1 Positive Success outcome in first step.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol2 Negative Failure outcome in first step
env-Web env-ClientServer env-Peer2Peer env-CommProtocolCycle through values for each parameter.:
Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Use network-level packet injection tools such as netcat
env-Web env-ClientServer env-Peer2Peer env-CommProtocol2 Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc.
env-Web3 Use modified client (modified by reverse engineering)
env-ClientServer env-Peer2Peer env-CommProtocol4 Use debugging tools to modify data in client
env-ClientServer env-Peer2PeerIndicators
ID type Indicator Description Environments 1 Positive Success outcome in first step
env-Web env-ClientServer env-Peer2Peer env-CommProtocol2 Negative Failure outcome in first step
env-Web env-ClientServer env-Peer2Peer env-CommProtocolOutcomes
ID type Outcome Description 1 Success Subversion of security controls on server2 Failure Client token reset by server3 Inconclusive Detailed error message describing problem with token, received from serverSecurity Controls
ID type Security Control Description 1 Detective Unexpected/invalid token/parameter value in application logs on server2 Corrective Reset session upon receipt of unexpected/invalid token/parameter value
Attack PrerequisitesAn attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system.
For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere.
Typical Likelihood of ExploitLikelihood: Very High
Methods of Attack- Modification of Resources
Examples-InstancesDescription
With certain price watching websites, that aggregate products available prices, the user can buy items through whichever vendors has product availability, the best price, or other differentiator. Once a user selects an item, the site must broker the purchase of that item with the vendor. Because vendors sell the same product through different channel partners at different prices, token exchange between price watching sites and selling vendors will often contain pricing information. With some price watching sites, manipulating URL-data (which is encrypted) even opaquely yields different prices charged by the fulfilling vendor. If the manipulated price turns out higher, the Attacker can cancel purchase. If the Attacker succeeded in manipulating the token and creating a lower price, he/she proceeds.
Description
Upon successful authentication user is granted an encrypted authentication cookie by the server and it is stored on the client. One piece of information stored in the authentication cookie reflects the access level of the user (e.g. "u" for user). The authentication cookie is encrypted using the Electronic Code Book (ECB) mode, that naively encrypts each of the plaintext blocks to each of the ciphertext blocks separately. An attacker knows the structure of the cookie and can figure out what bits (encrypted) store the information relating to the access level of the user. An attacker modifies the authentication cookie and effectively substitutes "u" for "a" by flipping some of the corresponding bits of ciphertext (trial and error). Once the correct "flip" is found, when the system is accessed, the attacker is granted administrative privileges in the system. Note that in this case an attacker did not have to figure out the exact encryption algorithm or find the secret key, but merely exploit the weakness inherent in using the ECB encryption mode.
Description
Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1.
Related Vulnerabilities
CVE-2006-0944
Attacker Skills or Knowledge RequiredSkill or Knowledge Level: Medium
If the client site token is obfuscated.
Skill or Knowledge Level: High
If the client site token is encrypted.
Resources RequiredThe Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data.
Probing TechniquesTamper with the client side data token and observe the effects it has on interaction with the system.
This attack is in and of itself a trial-and-error-based probing technique.
Solutions and MitigationsOne solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic "message authentication code" (or hMAC) is prescribed. However, this guidance is not a panecea. In particular, any value created by (and therefore encrypted by) the client, which itself is a "malicous" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value--then simply protecting its integrity doesn't help.
Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash)
Make sure that all session tokens use a good source of randomness
Perform validation on the server side to make sure that client side data tokens are consistent with what is expected.
Attack Motivation-Consequences- Data Modification
- Privilege Escalation
Related Weaknesses| CWE-ID | Weakness Name | Weakness Relationship Type |
|---|---|---|
| 353 | Failure to Add Integrity Check Value | Targeted |
| 285 | Improper Access Control (Authorization) | Secondary |
| 302 | Authentication Bypass by Assumed-Immutable Data | Targeted |
| 472 | External Control of Assumed-Immutable Web Parameter | Targeted |
| 565 | Reliance on Cookies without Validation and Integrity Checking | Targeted |
| 315 | Plaintext Storage in a Cookie | Targeted |
| 539 | Information Leak Through Persistent Cookies | Targeted |
| 384 | Session Fixation | Secondary |
| 233 | Parameter Problems | Secondary |
Related Attack Patterns| Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
|---|---|---|---|---|---|
| ChildOf |  Attack Pattern | 22 | Exploiting Trust in Client (aka Make the Client Invisible) | Mechanism of Attack1000 | |
| ChildOf |  Category | 223 | Probabilistic Techniques | Mechanism of Attack (primary)1000 | |
| ParentOf | Attack Pattern | 31 | Accessing/Intercepting/Modifying HTTP Cookies | Mechanism of Attack1000 |
Relevant Security RequirementsSensitive information stored client side must be integrity checked upon return before use
Related Security PrinciplesReluctance to Trust
Never Assuming that your Secrets are Safe
Least Privilege
Complete Mediation
Related GuidelinesNever Use Unvalidated Input as Part of a Directive to any Internal Component
Purposes- Penetration
- Exploitation
CIA Impact Technical Context| Architectural Paradigms | All |
|---|---|
| Frameworks | All |
| Platforms | All |
| Languages | All |
Content History| Submissions | ||||
|---|---|---|---|---|
| Submitter | Organization | Date | Comments | |
| John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content | |
| Modifications | |||||
|---|---|---|---|---|---|
| Modifier | Organization | Date | Comments | ||
| Chiradeep B. Chhaya | Cigital, Inc | 2007-02-23 | Fleshed out pattern with extra content | ||
| Eugene Lebanidze | Cigital, Inc | 2007-02-27 | Added new examples and other content | ||
| Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Solutions and Related Attack Patterns | ||
| Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | ||
| Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow | ||
