Firesand has identified a sophisticated hack that would have bypassed a client’s Web Application Firewall and caused serious damage.

In this case, the hacker sent a phishing email referencing a real promotion that the business was running. Within this email, a WAF bypass technique was used to deliver malicious code,  which the victim clicks.

Commenting Chris Blake, Director, and Principal Data Protection & Privacy Consultant, said: “This was a sophisticated hack attacking the vulnerability of JavaScript which most websites are dependent upon. Very few people have a true understanding of programming and JavaScript. Fortunately, our experts have the software and JavaScript knowledge to uncover attacks like this.”

In this attack, the website was tricked into delivering malicious content to the user via a Refected XSS (Cross Site Scripting) vulnerability. This takes external input, does not validate it and reflects it back to the user. As a result, the malicious code at the end of the link is read by the website’s servers and then delivered back to the user’s browser.

At this stage, the victim’s browser receives the malicious code and executes it. The malicious script creates an iframe and embeds the target website. It has an ‘onload’ event handler, meaning it executes every time a link and the page is loaded. This handler is configured to reload the attack onto every page, and it’s set up so the user cannot see this.

A JavaScript Prototype Pollution attack is then used to get a copy of all the information sent from the victim’s browser to the website, exploiting the way JavaScript implements the Object Oriented programming paradigm.

When web pages send data to the back-end server they often use a method known as XmlHttpRequest. The prototype pollution makes a copy of existing in-built JavaScript behaviour, provides a new implementation of that behaviour and also uses the copy of the original behaviour.

Under this method, extra code can seamlessly be added and from this, a copy of the data is sent from the victim’s browser to the target website. This data could include personal information such as banking details.

To obtain this data, an SOP bypass is conducted, tricking the browser into doing that. An image tag is embedded into the web page but with a style that positions the image off the viewable area of the screen. The SRC tag attribute is set to the web server's IP address and at the end of the SRC, a query string is added within a URL.

When the browser attempts to download the new image using that URL a blank ‘image not found’ icon is loaded onto the page. As this is positioned off screen the user doesn’t see this. The web server receives all the data and the hacker can see this too.

Finding this high-risk vulnerability highlights the importance of ensuring that websites and systems are regularly monitored for any potential threats. Any small update can cause problems so it is essential to regularly check for security threats.

Find more information about our Penetration Testing Services or Get in touch to enquire more about our services.