Cross-Site Leak - Frame Counting

Description

It is possible to determine from an external site whether or not a user is logged into the platform by counting the frames loaded when opening the page. The user must have logged into a site with a malicious frame counting script.

Impact

Determine if a specific user has access to the platform and thus collect targets for spearphishing attacks.

Recommendation

Load the same amount of frames in all application load cases.

Threat

Attacker on the Internet sending malicious links.

Expected Remediation Time

⌚ 120 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

• Attack vector: N
• Attack complexity: L
• Privileges required: N
• User interaction: R
• Scope: U
• Confidentiality: L
• Integrity: N
• Availability: N

Temporal

• Exploit code maturity: X
• Remediation level: X
• Report confidence: X

Result

• Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
• Score:
  • Base: 4.3
  • Temporal: 4.3
• Severity:
  • Base: Medium
  • Temporal: Medium

Score 4.0

Default score using CVSS 4.0 . It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: P
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Result 4.0

• Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
• Score:
  • CVSS-BT: 5.3
• Severity:
  • CVSS-BT: Medium

Compliant code

The application defines the same timing frame functions without distinguishing outcomes of queries

public static void main(String[] args) {
  Scanner input = new Scanner(System.in);
  String username;
  String password;
  username = input.next();
  password = input.next();

  try {
    if(username.equals(username) && password.equals(password)){
      ScheduledExecutorService executor = Executors.newScheduledThreadPool(2);
      executor.schedule(new Runnable(){
        public void run() {
          users check = new users(username, password);
          signIn(user, check)
        }
      }, delay, TimeUnit.MILLISECONDS);
    }
  } catch (InterruptedException e) {
    //The code to catch the exception takes the same amount of time to execute, on purpose
    ScheduledExecutorService executor = Executors.newScheduledThreadPool(2);
      executor.schedule(new Runnable(){
        public void run() {
          failedSignin(user)
        }
      }, delay, TimeUnit.MILLISECONDS);
  }
}

Non compliant code

The app provides a different ftps when a query is successful than when the login has failed because of a delay in getting the data

public static void main(String[] args) {
  Scanner input = new Scanner(System.in);
  String username;
  String password;
  username = input.next();
  password = input.next();

  try {
    Thread.sleep(5000);
    if(username.equals(username) && password.equals(password)){
      ScheduledExecutorService executor = Executors.newScheduledThreadPool(2);
      executor.schedule(new Runnable(){
        public void run() {
          users check = new users(username, password);
          signIn(user, check)
        }
      }, delay, TimeUnit.MILLISECONDS);
    }
  } catch (InterruptedException e) {
    //Code to catch the exception that executes faster than the login code...
  }
}

Requirements

• 134.Store passwords with salt
• 135.Passwords with random salt
• 185.Encrypt sensitive information

Fixes

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.