Wednesday, April 7, 2010

MalaRIA proxy

MalaRIA - I'm in your browser, surfin your webs

Unrestricted crossdomain.xml and clientaccesspolicy.xml files can be abused by an attacker. The attacker can setup a rouge RIA app - a malaRIA - on a site, and if he can trick the user to visit the site, the malicious RIA can perform actions on behalf of the user (CSRF). Because the RIA runs in the user's browser, the requests will reuse the user's authentication cookies. Because the RIA is able to both read and request data, normal CSRF protection does not work (nonces/tokens can be read).

Such a RIA can at the same time transfer data back and forth to the server from which it came through a socket. This can allow the attacker to send commands to the RIA, which will then perform these actions.

The MalaRIA proxy

The MalaRIA proxy consists of a silverlight or flex RIA application running in the browser and a java backend. The attack works like this:
The victim logs in on site A
The victim accesses evil site B and loads the RIA app
The RIA app connects back to the java backend
The attacker sets his browser to use the java app as a proxy in his browser
A request to the proxy, is sent to the RIA app, which on behalf of the victim, gets the resource, and passes it back to the attacker
So the java application listens on port 8080 and acts as a proxy. It will pass any request to the MalaRIA app in the victim's browser. The MalaRIA app fetches the resource and passes it back to the attacker through the proxy. So the attacker can browse the site through the users browser.

Video demonstration and Source code :

No comments: