CORSICA: Cross-Origin Web Service Identification

  • Vulnerabilities in private networks are difficult to detect for attackers outside of the network. While there are known methods for port scanning internal hosts that work by luring unwitting internal users to an external web page that hosts malicious JavaScript code, no such method for detailed and precise service identification is known. The reason is that the Same Origin Policy (SOP) prevents access to HTTP responses of other origins by default. We perform a structured analysis of loopholes in the SOP that can be used to identify web applications across network boundaries. For this, we analyze HTML5, CSS, and JavaScript features of standard-compliant web browsers that may leak sensitive information about cross-origin content. The results reveal several novel techniques, including leaking JavaScript function names or styles of cross-origin requests that are available in all common browsers. We implement and test these techniques in a tool called CORSICA. It can successfully identify 31 of 42 (74%) of web services running on different IoT devices as well as the version numbers of the four most widely used content management systems WordPress, Drupal, Joomla, and TYPO3. CORSICA can also determine the patch level on average down to three versions (WordPress), six versions (Drupal), two versions (Joomla), and four versions (TYPO3) with only ten requests on average. Furthermore, CORSICA is able to identify 48 WordPress plugins containing 65 vulnerabilities. Finally, we analyze mitigation strategies and show that the proposed but not yet implemented strategies Cross-Origin Resource Policy (CORP)} and Sec-Metadata would prevent our identification techniques.

Export metadata

Additional Services

Metadaten
Author:Christian Dresen, Fabian Ising, Damian Poddebniak, Tobias Kappert, Thorsten Holz, Sebastian Schinzel
URL:https://asiaccs2020.cs.nthu.edu.tw/program/
Parent Title (English):The 15th ACM ASIA Conference on Computer and Communications Security
Editor:Jianying Zhou
Document Type:Conference Proceeding
Language:English
Date of Publication (online):2020/05/25
Date of first Publication:2020/10/05
Provider of the Publication Server:Fachhochschule M√ľnster - University of Applied Sciences
Release Date:2020/05/25
Faculties:Elektrotechnik und Informatik (ETI)
Publication list:Schinzel, Sebastian
Licence (German):License LogoBibliographische Daten