Cross-Site Leak - Frame Counting
Description
It is possible to determine from an external site whether or not a user is logged into the platform by counting the frames loaded when opening the page. The user must have logged into a site with a malicious frame counting script.
Impact
Determine if a specific user has access to the platform and thus collect targets for spearphishing attacks.
Recommendation
Load the same amount of frames in all application load cases.
Threat
Attacker on the Internet sending malicious links.
Expected Remediation Time
⌚ 120 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: N
- User interaction: R
- Scope: U
- Confidentiality: L
- Integrity: N
- Availability: N
Temporal
- Exploit code madurity: X
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
- Score:
- Base: 4.3
- Temporal: 4.3
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
The application defines the same timing frame functions without distinguishing outcomes of queries
public static void main(String[] args) {
Scanner input = new Scanner(System.in);
String username;
String password;
username = input.next();
password = input.next();
try {
if(username.equals(username) && password.equals(password)){
ScheduledExecutorService executor = Executors.newScheduledThreadPool(2);
executor.schedule(new Runnable(){
public void run() {
users check = new users(username, password);
signIn(user, check)
}
}, delay, TimeUnit.MILLISECONDS);
}
} catch (InterruptedException e) {
//The code to catch the exception takes the same amount of time to execute, on purpose
ScheduledExecutorService executor = Executors.newScheduledThreadPool(2);
executor.schedule(new Runnable(){
public void run() {
failedSignin(user)
}
}, delay, TimeUnit.MILLISECONDS);
}
}
Non compliant code
The app provides a different ftps when a query is successful than when the login has failed because of a delay in getting the data
public static void main(String[] args) {
Scanner input = new Scanner(System.in);
String username;
String password;
username = input.next();
password = input.next();
try {
Thread.sleep(5000);
if(username.equals(username) && password.equals(password)){
ScheduledExecutorService executor = Executors.newScheduledThreadPool(2);
executor.schedule(new Runnable(){
public void run() {
users check = new users(username, password);
signIn(user, check)
}
}, delay, TimeUnit.MILLISECONDS);
}
} catch (InterruptedException e) {
//Code to catch the exception that executes faster than the login code...
}
}
Requirements
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.