Home > Web > Web 2.0 Pivot Attacks
Web 2.0 Pivot Attacks
Posted on 6 Februari 2010 by c0decstuff
any penetration tester would agree that pivot attacks, designed to compromise a secondary host to more effectively attack primary targets, are incredibly powerful. Organizations tend to have difficulty protecting all hosts at all times, which is why proper network segmentation is vital should loss of control occur on any one node. Often it’s easier to compromise a host from behind rather than head on. Case in point, a hacker used a pivot attack to break into Heartland Payment Systems and pilfer 130 million CC#s. A SQL injection exploit was used to get a foothold in a non-payment-network-host leading to the eventual data compromise. Recently I had a thought that pivot attacks exist in a Web 2.0 world as well, they are just not typically viewed that way.
Many websites automatically load in content from remote resources (JavaScript, Flash, more HTML, images, etc.), which are hosted by third-party providers. These resources normally embed advertisements (DoubleClick), traffic counters (StatCounter), user trackers (whos.amung.us), games (Pogo), videos (YouTube), and thousands of other forms of dynamic content. These are often generically called “Web page Widgets,” things Web page might want to include in their pages for their visitors. There are thousands, maybe tens of thousands of these types of providers. Let’s look at some top mainstream media websites to see what widget hostname they include:
TechCrunch
ad.doubleclick.net
ads.undertone.com
altfarm.mediaplex.com
b.scorecardresearch.com
bs.serving-sys.com
button.topsy.com
cdn.undertone.com
edge.quantserve.com
googleads.g.doubleclick.net
img.mediaplex.com
mp.apmebf.com
network.realmedia.com
partner.googleadservices.com
pubads.g.doubleclick.net
s0.2mdn.net
services.crunchboard.com
static.ak.connect.facebook.com
widget.startups.com
www.facebook.com
www.google-analytics.com
www.oracle.com
www.sun.com
www.tumri.net
ytaahg.vo.llnwd.net
NY Times
ad.doubleclick.net
admin.brightcove.com
ads.pointroll.com
at.amgdgt.com
brightcove.vo.llnwd.net
c.brightcove.com
googleads.g.doubleclick.net
graphics8.nytimes.com
load.tubemogul.com
markets.on.nytimes.com
receive.inplay.tubemogul.com
static.inplay.tubemogul.com
timespeople.nytimes.com
video2.nytimes.com
64.191.193.124
Wall Street Journal
ac3.msn.com
ad.doubleclick.net
adsyndication.msn.com
om.dowjoneson.com
online.wsj.com
s.wsj.net
www.marketwatch.com
CNN
ads.cnn.com
b.scorecardresearch.com
edition.cnn.com
i.cdn.turner.com
i.cnn.net
metrics.cnn.com
svcs.cnn.com
USA Today
ad.doubleclick.net
ads.adsonar.com
ads.revsci.net
altfarm.mediaplex.com
b.scorecardresearch.com
content.usatoday.com
gannett.gcion.com
i.usatoday.net
img-cdn.mediaplex.com
img.mediaplex.com
js.revsci.net
media.fastclick.net
mp.apmebf.com
optimized-by.rubiconproject.com
pix04.revsci.net
r1.ace.advertising.com
rd.apmebf.com
tap-cdn.rubiconproject.com
usata1.gcion.com
usatoday1.112.2o7.net
Washington Post
ad.bizo.com
ad.doubleclick.net
ads.adsonar.com
ads.bluelithium.com
ads.revsci.net
altfarm.mediaplex.com
bp.specificclick.net
custom.marketwatch.com
fls.doubleclick.net
js.revsci.net
media.washingtonpost.com
mp.apmebf.com
In a Web security context, these websites essentially allow arbitrary executable code, supplied by the third-party, complete access to the browser DOM and the user’s session information. *Exception being IMG SRC loads* That means they can hijack accounts by stealing authentication cookies; change the news or ask for passwords by altering what the user sees on the screen; redirect users to malware laden websites; force browsers to attack other systems, and more. By including Web widgets from an uncontrolled source on your pages, the third-party’s entire infrastructure must be included as part of the implicit trust model. These dangers have been previously discussed by Tom Stripling where the third-party service provider was assumed to be the potential nefarious source. I think the concern lies a bit deeper, where a malicious Web 2.0 pivot attack comes in.
If a bad guy, APT or a less-skilled adversary, wants to surreptitiously compromise a (relatively) hardened Web presence (or its users), they don’t necessarily need go after the target directly, they could instead go after the aforementioned third-party providers. How many of these third-parties take security as seriously as their customers do? Assumed few, but we really don’t know for certain. Please comment below is you have experiences here to share? How many organizations really check up on the third-party’s security posture or even know enough take this risk into consideration? Again, some do, but very few in my personal experience. The organization might dismiss the concern by saying something like:
"If X gets hacked we'll have bigger problems on our hands."
Important to add is that during a Web 2.0 pivot attack no traffic is directly seen by the primary target, which basically makes it impossible for them to detect/thwart the attack before a compromise. Post third-party compromise, it might be nearly as hard to detect a Web widget code update unless you can somehow monitor the content changes in unexpected ways. This of course assumes the primary target knows how, when, or if the third-party changes the code (rare). Not to mention the inclusion of Web page widgets is almost always beyond the visibility of a security team, because this process is largely ma:naged through marketing / product management (not so much application development) and can easily happen at any time with zero notice.
Pen-testers to my knowledge can’t/don’t use this type of pivot attack because the third-party is usually another organization, unwilling to grant security testing authority, and therefore out of the scope of the engagement. Also important is that in a network pivot attack you may still be limited in what you can do on a host due to network secregation, ACLs etc. but in JavaScript space, you are basically God.
source:blog jeremiagrosman
Many websites automatically load in content from remote resources (JavaScript, Flash, more HTML, images, etc.), which are hosted by third-party providers. These resources normally embed advertisements (DoubleClick), traffic counters (StatCounter), user trackers (whos.amung.us), games (Pogo), videos (YouTube), and thousands of other forms of dynamic content. These are often generically called “Web page Widgets,” things Web page might want to include in their pages for their visitors. There are thousands, maybe tens of thousands of these types of providers. Let’s look at some top mainstream media websites to see what widget hostname they include:
TechCrunch
ad.doubleclick.net
ads.undertone.com
altfarm.mediaplex.com
b.scorecardresearch.com
bs.serving-sys.com
button.topsy.com
cdn.undertone.com
edge.quantserve.com
googleads.g.doubleclick.net
img.mediaplex.com
mp.apmebf.com
network.realmedia.com
partner.googleadservices.com
pubads.g.doubleclick.net
s0.2mdn.net
services.crunchboard.com
static.ak.connect.facebook.com
widget.startups.com
www.facebook.com
www.google-analytics.com
www.oracle.com
www.sun.com
www.tumri.net
ytaahg.vo.llnwd.net
NY Times
ad.doubleclick.net
admin.brightcove.com
ads.pointroll.com
at.amgdgt.com
brightcove.vo.llnwd.net
c.brightcove.com
googleads.g.doubleclick.net
graphics8.nytimes.com
load.tubemogul.com
markets.on.nytimes.com
receive.inplay.tubemogul.com
static.inplay.tubemogul.com
timespeople.nytimes.com
video2.nytimes.com
64.191.193.124
Wall Street Journal
ac3.msn.com
ad.doubleclick.net
adsyndication.msn.com
om.dowjoneson.com
online.wsj.com
s.wsj.net
www.marketwatch.com
CNN
ads.cnn.com
b.scorecardresearch.com
edition.cnn.com
i.cdn.turner.com
i.cnn.net
metrics.cnn.com
svcs.cnn.com
USA Today
ad.doubleclick.net
ads.adsonar.com
ads.revsci.net
altfarm.mediaplex.com
b.scorecardresearch.com
content.usatoday.com
gannett.gcion.com
i.usatoday.net
img-cdn.mediaplex.com
img.mediaplex.com
js.revsci.net
media.fastclick.net
mp.apmebf.com
optimized-by.rubiconproject.com
pix04.revsci.net
r1.ace.advertising.com
rd.apmebf.com
tap-cdn.rubiconproject.com
usata1.gcion.com
usatoday1.112.2o7.net
Washington Post
ad.bizo.com
ad.doubleclick.net
ads.adsonar.com
ads.bluelithium.com
ads.revsci.net
altfarm.mediaplex.com
bp.specificclick.net
custom.marketwatch.com
fls.doubleclick.net
js.revsci.net
media.washingtonpost.com
mp.apmebf.com
In a Web security context, these websites essentially allow arbitrary executable code, supplied by the third-party, complete access to the browser DOM and the user’s session information. *Exception being IMG SRC loads* That means they can hijack accounts by stealing authentication cookies; change the news or ask for passwords by altering what the user sees on the screen; redirect users to malware laden websites; force browsers to attack other systems, and more. By including Web widgets from an uncontrolled source on your pages, the third-party’s entire infrastructure must be included as part of the implicit trust model. These dangers have been previously discussed by Tom Stripling where the third-party service provider was assumed to be the potential nefarious source. I think the concern lies a bit deeper, where a malicious Web 2.0 pivot attack comes in.
If a bad guy, APT or a less-skilled adversary, wants to surreptitiously compromise a (relatively) hardened Web presence (or its users), they don’t necessarily need go after the target directly, they could instead go after the aforementioned third-party providers. How many of these third-parties take security as seriously as their customers do? Assumed few, but we really don’t know for certain. Please comment below is you have experiences here to share? How many organizations really check up on the third-party’s security posture or even know enough take this risk into consideration? Again, some do, but very few in my personal experience. The organization might dismiss the concern by saying something like:
"If X gets hacked we'll have bigger problems on our hands."
Important to add is that during a Web 2.0 pivot attack no traffic is directly seen by the primary target, which basically makes it impossible for them to detect/thwart the attack before a compromise. Post third-party compromise, it might be nearly as hard to detect a Web widget code update unless you can somehow monitor the content changes in unexpected ways. This of course assumes the primary target knows how, when, or if the third-party changes the code (rare). Not to mention the inclusion of Web page widgets is almost always beyond the visibility of a security team, because this process is largely ma:naged through marketing / product management (not so much application development) and can easily happen at any time with zero notice.
Pen-testers to my knowledge can’t/don’t use this type of pivot attack because the third-party is usually another organization, unwilling to grant security testing authority, and therefore out of the scope of the engagement. Also important is that in a network pivot attack you may still be limited in what you can do on a host due to network secregation, ACLs etc. but in JavaScript space, you are basically God.
source:blog jeremiagrosman
Category Article Web
One Response to “c0decstuff”
Total Pageviews
Labels
- Android (1)
- Aplication (14)
- ARP (1)
- Backdoored (2)
- Browser (1)
- Cloud (1)
- Exploitation (1)
- Exploits (7)
- Facebook (2)
- forensics (3)
- Hacking (11)
- Hijacking (1)
- Honeypot (1)
- HTML5 (1)
- ios (2)
- Jailbreak (2)
- Linux (1)
- Malware (5)
- metasploit (2)
- Meterpreter (1)
- Movie (1)
- Networking (1)
- News (2)
- password attack (2)
- Penetration Test (2)
- Python (1)
- reverse engineering (1)
- Rootkits (1)
- Security (12)
- shellcode (2)
- Stuxnet/Duqu (2)
- Uncategories (1)
- Virus (1)
- Vulnerability (8)
- Web (5)
- Wifi (1)
- Windows (5)
Blog Archive
-
▼
10
(67)
-
▼
Feb
(12)
- How to Prevent Joomla from being hacked or exploited
- HOW TO COVER YOUR TRACKS
- Converting an IP address to an IP Number & Retriev...
- Spoofing Technique
- TinyMCE WYSIWYG Editor Multiple Vulnerabilities
- LDAP Injection
- Fingerprinting web applications (Joomla, Mediawiki...
- Zenoss Multiple Admin CSRF
- phpldapadmin packages fix remote file inclusion
- [Full-disclosure] e107 latest download link is bac...
- Significant Number Of WordPress Websites Compromis...
- Web 2.0 Pivot Attacks
-
▼
Feb
(12)
Friendlist
Security Resources
-
-
-
This feed contains no entries
-
-
-
-
-
-
-
-
-
وفي الطائف تطورت خدماتنا واصبحنا نقدم خدمات جيدة في نقل العفش مع الفك والتركيب ولهذا السبب اصبحت
شركه نقل اثاث بالطائف من افضل واحسن شركات النقل في مدينة الطائف فلو تريد نقل عفش بيتك وانت في الطائف تواصل معنا