A proof-of-concept exploit working on Foxit (Version: 11.0.1.49938) can be downloaded here.
Recent research on web security and related topics. Provided and maintained by members and friends of the Chair for Network and Data Security at the Ruhr University Bochum, Faculty of Electrical Engineering and Information Technology, Horst Görtz Institute for IT-Security.
Tuesday, October 19, 2021
Shadow Attacks … the smallest attack vector ever
A proof-of-concept exploit working on Foxit (Version: 11.0.1.49938) can be downloaded here.
Thursday, June 10, 2021
ALPACA: Application Layer Protocol Confusion-Analyzing and Mitigating Cracks in TLS Authentication
In cooperation with the university Paderborn and Münster University of Applied Sciences, we discovered a new flaw in the specification of TLS. The vulnerability is called ALPACA and exploits a weakness in the authentication of TLS for cross-protocol attacks. The attack allows an attacker to steal cookies or perform cross-site-scripting (XSS) if the specific conditions for the attack are met.
Monday, May 31, 2021
Security Analysis in an OpenID Connect Lab Environment
In this post, Christian Fries shows an approach to unveil security flaws in OpenID Connect Certified implementations with well-known attack methods. One goal of the master's thesis Security Analysis of Real-Life OpenID Connect Implementations was to provide a platform for developers and security researchers to test implementations in a reproducible and maintainable OIDC lab environment.
We included six OpenID Provider (OP) and eight Relying Party (RP) services in the lab environment. For the comprehensive security analysis, we tested the implementations against eleven Relying Party attacks and seven OpenID Provider attacks in different variations with our tool PrOfESSOS. In addition, we carried out manual tests as well. We have disclosed twelve implementation flaws and reported them to the developers in a responsible disclosure process.
Two developer teams fixed (✔) the vulnerabilities before the deadline of the master's thesis. One Redirect URI Manipulation vulnerability was rejected (✖). This particular case can be permissible for only one registered URI for reasons of interoperability and fault tolerance. We informed three further development teams (✦).
Name | Vulnerability | Fixed | CVE |
MITREid Connect | PKCE Downgrade Attack | ✦ | |
mod auth openidc | ID Spoofing, JWKS Spoofing | ✔ | |
node oidc-provider | Redirect URI Manipulation | ✖ | |
OidcRP | Replay Attack | ✦ | |
phpOIDC | Message Flow Confusion, ID Spoofing, Key Confusion | ✦ | |
pyoidc | Replay Attack, Signature Manipulation, Token Recipient Confusion | ✔ | CVE-2020-26244 |
We explain the method of how we have archived this result in the following sections.
Monday, May 24, 2021
Attacks on PDF Certification
In recent years, we have presented How to Spoof PDF Signatures and Shadow Attacks: Hiding and Replacing Content in Signed PDFs, which describe attacks on PDF signatures under various attack scenarios. The attacks focused on so-called approval signatures. However, in addition to signing PDFs, the PDF specification also specifies the certification of documents, also known as certification signatures.
To close this research gap, we performed an extensive analysis of the security of PDF certification. In doing so, we developed the Evil Annotation Attack (EAA), as well as the Sneaky Signature Attack (SSA). The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using EAA and in 8 applications using SSA by using PDF specification compliant exploits. We improved both attacks’ stealthiness with applications’ implementation issues and found only two applications secure to all attacks.
Wednesday, February 24, 2021
Security and Privacy of Social Logins (III): Privacy in Single Sign-On Protocols
This post is the second out of three blog posts summarizing my (Louis Jannett) research on the design, security, and privacy of real-world Single Sign-On (SSO) implementations. It is based on my master's thesis that I wrote between April and October 2020 at the Chair for Network and Data Security.
We structured this blog post series into three parts according to the research questions of my master's thesis: Single Sign-On Protocols in the Wild, PostMessage Security in Single Sign-On, and Privacy in Single Sign-On Protocols.
Overview
Part I: Single Sign-On Protocols in the Wild
Part III: Privacy in Single Sign-On Protocols
Monday, February 22, 2021
Security and Privacy of Social Logins (II): PostMessage Security in Single Sign-On
This post is the second out of three blog posts summarizing my (Louis Jannett) research on the design, security, and privacy of real-world Single Sign-On (SSO) implementations. It is based on my master's thesis that I wrote between April and October 2020 at the Chair for Network and Data Security.
We structured this blog post series into three parts according to the research questions of my master's thesis: Single Sign-On Protocols in the Wild, PostMessage Security in Single Sign-On, and Privacy in Single Sign-On Protocols.
Overview
Part I: Single Sign-On Protocols in the Wild
Part III: Privacy in Single Sign-On Protocols (coming soon)
Saturday, February 20, 2021
Security and Privacy of Social Logins (I): Single Sign-On Protocols in the Wild
This post is the first out of three blog posts summarizing my (Louis Jannett) research on the design, security, and privacy of real-world Single Sign-On (SSO) implementations. It is based on my master's thesis that I wrote between April and October 2020 at the Chair for Network and Data Security.
We structured this blog post series into three parts according to the research questions of my master's thesis: Single Sign-On Protocols in the Wild, PostMessage Security in Single Sign-On, and Privacy in Single Sign-On Protocols.
Overview
Part I: Single Sign-On Protocols in the Wild
Part III: Privacy in Single Sign-On Protocols (coming soon)
Sunday, January 17, 2021
Insecure Features in PDFs
In 2019, we published attacks on PDF Signatures and PDF Encryption. During our research and studying the related work, we discovered a lot of blog posts, talks, and papers focusing on malicious PDFs causing some damage. However, there was no systematic analysis of all possible dangerous features supported by PDFs, but only isolated exploits and attack concepts.
We decided to fill this gap and systematize the possibilities to use legitimate PDF features and do bad stuff. We define four attack categories: Denial of Service, Information Disclosure, Data Manipulation, and Code Execution.
Our evaluation reveals 26 of 28 popular PDF processing applications are vulnerable to at least one attack. You can download all malicious PDFs here. You can also find more technical details in our NDSS'21 paper.
This is a joined work of Jens Müller, Dominik Noss, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk.
Beliebte Posts
-
When evaluating the security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE)...
-
Inspired by James Kettle 's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security i...
-
Printers belong arguably to the most common devices we use. They are available in every household, office, company, governmental, medic...
-
In this post, we provide a security analysis of Microsoft Rights Management Services (RMS) and present two working attacks: We complete...
-
One year ago, we received a contract as a PDF file. It was digitally signed. We looked at the document - ignoring the "certificate is n...