- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 22 Jul 2014 07:53:53 +0200
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Roberto Peon <grmocg@gmail.com>, Adrien de Croy <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Jul 22, 2014 at 05:40:46AM +0000, Poul-Henning Kamp wrote: > In message <CAP+FsNcaxeEhEpQCAteQUZGn03OXTv=MR8xz9nLZVDSU9nf8iA@mail.gmail.com> > , Roberto Peon writes: > > >If the path contains: > >/foo/RANDOM_NUMBER/bar > > > >and the query contains: > >q=foo&user=SOME_SECRET_ID > > > >Then guessing: > >/foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID > > > >is far, far FAR more difficult than guessing: > > q=foo&user=SOME_SECRET_ID > >alone or > > /foo/RANDOM_NUMBER/bar > >alone. > > Only if you have an oracle to tell you that you got a hit. > > Could you outline exactly how this attack would work ? You can for example share the same proxy as the victim, send requests with your guesses there and observe the size of data on the encrypted communication with the server to determine whether the proxy detected the same path+query as the previous request and managed to reference an indexed entry or had to send a literal. Sometimes you can also control a page the victim displays, and reference objects belonging to the site you want to steal the credentials for. Using frames you can have the victim think he/she's on the correct site and enter credentials (which are only sent to the real site), and in another frame or using image links you can try to guess the contents again by forging requests and observing the size on the link. Regards, Willy
Received on Tuesday, 22 July 2014 05:57:41 UTC