Dynamic Pharming Attacks and Locked Same-origin Policies for web Browsers

Chris karlof, J.D. Tygar, David Wagner, Umesh Shankar. ACM CCS. Oct 29-Nov 2, 2007, Alexandria, Virginia.

ABSTRACT

We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, we propose two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain names, the locked same-origin policies enforce access using servers' X.509 certificates and public keys. We show how our policies help two existing web authentication mechanisms, client-side SSL and SSL-only cookies, resist both pharming and stronger active attacks. Also, we present a deployability analysis of our policies based on a study of 14651 SSL domains. Our results suggest one of our policies can be deployed today and interoperate seamlessly with the vast majority of legacy web servers. For our other policy, we present a simple incrementally deployable opt-in mechanism for legacy servers using policy files, and show how web sites can use policy files to support self-signed and untrusted certificates, shared subdomain objects, and key updates.

BeamAuth? : Two-Factor Web Authentication with a Bookmark

Ben Adida, ACM CCS. Oct 29-Nov 2, 2007, Alexandria, Virginia.

ABSTRACT

We propose BeamAuth? , a two-factor web authentication technique where the second factor is a specially crafted bookmark. BeamAuth? presents two interesting features: (1) only server-side deployment is required alongside any modern, out-of-the-box web browser on the client side, and (2) credentials remain safe against many types of phishing attacks, even if the user fails to check proper user interface indicators. BeamAuth? is deployable immediately by any login-protected web server with only minimal work, and it neither weakens nor interferes with other anti-phishing techniques. We believe BeamAuth? may be most useful in preventing a number of phishing attacks at high-value single sign-on sites, e.g. OpenID? providers.