finding gold in your cache
TRANSCRIPT
![Page 1: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/1.jpg)
Finding Gold in Your Cache
Exploring Browser CachingBy Corey Benninger, CISSP
![Page 2: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/2.jpg)
2
Show Me the Money
» Credit card data from Firefox AutoComplete cache
![Page 3: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/3.jpg)
3
This is a Client Side Attack…
» These caching issues relate to an attacker directly targeting an enduser’s computer
» Most of these attacks do not require Administrator/Root level access
» Both Firefox and Internet Explorer averaged more than one newvulnerability per month in 2005*
* Data from Secunia Vulnerability Reports for Microsoft Internet Explorer 6.x and Mozilla Firefox 1.x
![Page 4: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/4.jpg)
4
This is Instant Gratification…
» No need to wait for a key logger to capture data
» No need to trick a user into visiting a “trusted” website
» End user does not even need to be online or using the system
![Page 5: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/5.jpg)
5
Old Skool Cache
» All your Favorite Bookmarks– Bookmarks to any “hard to remember” URLs (like your hidden Admin site)
» The Browser History remembers every site you visit– The URL of your Bank, Web Mail service, MySpace pages…
» Parameters in the URL can be cached– Usernames, Session IDs, Account numbers
– Confidential information should be sent using POST, not GET, requests
![Page 6: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/6.jpg)
6
Down and Dirty in the File System
» The browser can save numerous files (HTML, JPG, JS, SWF…) to thestandard browser cache directory.
» Non-Session cookies can also be saved to disk.
![Page 7: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/7.jpg)
7
Will Grep for Gold
» Grep for useful common input names
» grep “ccnum\|ssn\|creditcard\|cc_num\|cvv” *
![Page 8: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/8.jpg)
8
No Cache For You!
» Sites should set proper cache control settings:
– HTTP 1.1
• Cache-Control: no-store, no-cache, private
– HTTP 1.0
• Pragma: no-cache
• Expires: -1 (or a past date)
» Do not redisplay full credit card, social security, oraccount numbers.
![Page 9: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/9.jpg)
9
All Your RAM are Belong to Us….
» A Normal Credential check
http://mybank/Login.html http://mybank/myAccount.html
![Page 10: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/10.jpg)
10
Whisper Sweet HTTP in My Ear.
![Page 11: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/11.jpg)
11
Rollin’ with HTTP
» A Normal Credential check
username=bob&password=p@ssw0rd!
![Page 12: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/12.jpg)
12
Haven’t I Seen You Here Before?
» A Normal Credential check
http://mybank/Login.html http://mybank/myAccount.htmlusername=bob&password
=p@ssw0rd!
![Page 13: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/13.jpg)
13
The Vulcan Mind Meld
» Search the Memory for your favorite parameter names or URLs:username, password, ccnum, ssn, login, etc…
![Page 14: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/14.jpg)
14
You AutoComplete Me…
![Page 15: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/15.jpg)
15
Password AutoComplete is so 1999
![Page 16: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/16.jpg)
16
Rules of Form AutoComplete (… you do not talk about autocomplete)
» Form Autocomplete can only save data for input types of “text”
» Data is saved based on the “name” of the field and not limited to theURL it was entered on
» User input is required to retrieve Autocomplete data
<input type=“text” name=“email” value=“”>
![Page 17: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/17.jpg)
17
You AutoComplete Me Too…
![Page 18: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/18.jpg)
18
Where Did it Go?
» Internet Explorer: In the Registry
HKEY_CURRENT_USER\Software\Microsoft\Protected StorageSystem Provider
» Firefox: In a File
C:\Documents and Settings\{username}\ApplicationData\Mozilla\Firefox\Profiles\default.{random}\formhistory.dat
![Page 19: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/19.jpg)
19
Hungry Like the FireFox
» C:\Documents and Settings\{username}\ApplicationData\Mozilla\Firefox\Profiles\default.{random}\formhistory.dat
![Page 20: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/20.jpg)
20
dumpAutoComplete
» Convert any FireFox “formhistory” file to XML, then parse for gold.
![Page 21: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/21.jpg)
21
You May Have Data in Your AutoCompleteCache If …
» Your Credit Card Number was entered on:– Online Stores
– Airline Reservation Sites
– Hotel Reservation Sites
» Your Social Security Number was entered on:– Identity Theft Complaint Forms (hosted on government sites)
– Online Resume Submissions (to a government agency)
– Housing Applications with Universities
![Page 22: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/22.jpg)
22
Chocolate and Peanut Butter Demo
» (Putting it all together.)
![Page 23: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/23.jpg)
23
I’ve Fallen and I Can’t Get Up!
Simple countermeasures can prevent this data frombeing cached regardless of browser settings
» Disabling AutoComplete– Add autocomplete=“off” to form objects or input fields when
sending confidential information
» Redirect Login Forms– Issue a “301 Moved Permanently”, “302 Temporarily Moved”, or
“303 See Other” redirect response to pages posting confidentialinformation
![Page 24: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/24.jpg)
24
These are Not the Droids You’re Looking For
» How sites can turn off AutoComplete
<form action="login" method=“POST" AUTOCOMPLETE="off"> <input type="text" name="username">Name <input type="password" name="Password">Password <input type="Submit" name="Login"></form>
<form action=“SignUpForm" method=“POST"> <input type="text" name="username"> Name <input type=“text” name=“address”> Address <input type=“text" name=“ccnum” AUTOCOMPLETE="off"> Card Num <input type="Submit" name=“Submit"></form>
![Page 25: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/25.jpg)
25
Whisper More Sweet HTTP in My Ear.
![Page 26: Finding Gold in Your Cache](https://reader030.vdocument.in/reader030/viewer/2022012919/587a16651a28ab43688c473b/html5/thumbnails/26.jpg)
Finding Gold in Your Cache
Corey Benninger – [email protected]
dumpAutoComplete - http://www.foundstone.com/resources/freetools.htm