mahara-contributors team mailing list archive

Thread
Date

[Bug 1770561] Re: Browser back and refresh button attack vulnerability

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Cecilia Vela Gurovic <1770561@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 May 2018 05:39:20 -0000
Reply-to: Bug 1770561 <1770561@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1770561

Title:
Browser back and refresh button attack vulnerability

Status in Mahara:
Fix Committed
Status in Mahara 17.04 series:
Fix Released
Status in Mahara 17.10 series:
Fix Released
Status in Mahara 18.04 series:
Fix Released
Status in Mahara 18.10 series:
Fix Committed

Bug description:
About the vulnerability:

The back, forward and refresh buttons of the browser can be used to
steal the password of a previous user. In this article we examine the
vulnerability and look at ways to solve them.A web browser has the
functionality to store the recent pages browsed by the user in its
history. The back and forward buttons on the browser make use of this
history to display the pages that the user visited recently. The
browser also keeps track of the variables that were sent as part of
the request to the server for each page. The refresh feature of the
browser automates posting of the variables to the server thereby
greatly improving the user experience while browsing.These features
enhance the user experience but at the same time they expose a high
risk vulnerability. This happens due to the application being
insecurely designed. Attackers exploit these functionalities of the
browser to obtain access to user credentials. Let’s see how this works
and the solutions to overcome this problem.

Steps to reproduce: (Attached is the live POC)
- Go to login page of the application and provide the credentials
- Log yourself out from the application
- Pressed the back button, it came to login page.
- which asked me to resubmit the details.
- Credentials got captured in Burpsuite.

How to Fix (Solution that we are looking into):

use an intermediate page between the login page and the first page
displayed after authentication (myhome.asp in this case). This
intermediate page should be used to redirect the user via an “HTTP
Redirect command” to myhome.asp after successful login. In such a
scenario, the login request is redirected immediately by the
intermediate page.

Reported by Shekhar Suman
http://iosec.in

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1770561/+subscriptions