TY  - CHAP
A1  - Dresen, Christian
A1  - Ising, Fabian
A1  - Poddebniak, Damian
A1  - Kappert, Tobias
A1  - Holz, Thorsten
A1  - Schinzel, Sebastian
ED  - Zhou, Jianying
T1  - CORSICA: Cross-Origin Web Service Identification
T2  - The 15th ACM ASIA Conference on Computer and Communications Security
N2  - Vulnerabilities in private networks are difficult to detect for attackers outside of the network. While there are known methods for port scanning internal hosts that work by luring unwitting internal users to an external web page that hosts malicious JavaScript code, no such method for detailed and precise service identification is known. The reason is that the Same Origin Policy (SOP) prevents access to HTTP responses of other origins by default. We perform a structured analysis of loopholes in the SOP that can be used to identify web applications across network boundaries. For this, we analyze HTML5, CSS, and JavaScript features of standard-compliant web browsers that may leak sensitive information about cross-origin content. The results reveal several novel techniques, including leaking JavaScript function names or styles of cross-origin requests that are available in all common browsers. We implement and test these techniques in a tool called CORSICA. It can successfully identify 31 of 42 (74%) of web services running on different IoT devices as well as the version numbers of the four most widely used content management systems WordPress, Drupal, Joomla, and TYPO3. CORSICA can also determine the patch level on average down to three versions (WordPress), six versions (Drupal), two versions (Joomla), and four versions (TYPO3) with only ten requests on average. Furthermore, CORSICA is able to identify 48 WordPress plugins containing 65 vulnerabilities. Finally, we analyze mitigation strategies and show that the proposed but not yet implemented strategies Cross-Origin Resource Policy (CORP)} and Sec-Metadata would prevent our identification techniques.
Y1  - 2020
UR  - https://asiaccs2020.cs.nthu.edu.tw/program/
ER  - 
TY  - CHAP
A1  - Müller, Jens
A1  - Brinkmann, Marcus
A1  - Poddebniak, Damian
A1  - Schinzel, Sebastian
A1  - Schwenk, Jörg
T1  - Mailto: Me Your Secrets. On Bugs and Features in Email End-to-End Encryption
T2  - 2020 IEEE Conference on Communications and Network Security (CNS)
N2  - OpenPGP and S/MIME are the two major standards for email end-to-end encryption. We show practical attacks against both encryption schemes in the context of email. First, we present a design flaw in the key update mechanism, allowing a third party to deploy a new key to the communication partners. Second, we show how email clients can be tricked into acting as an oracle for decryption or signing by exploiting their functionality to auto-save drafts. Third, we demonstrate how to exfiltrate the private key, based on proprietary mailto parameters implemented by various email clients. An evaluation shows that 8 out of 20 tested email clients are vulnerable to at least one attack. While our attacks do not target the underlying cryptographic primitives, they raise concerns about the practical security of OpenPGP and S/MIME email applications. Finally, we propose countermeasures and discuss their advantages and disadvantages.
KW  - Cyber Security
KW  - PGP
KW  - S/MIME
Y1  - 2020
U6  - http://dx.doi.org/10.1109/CNS48642.2020.9162218
SP  - 1
EP  - 9
ER  -