Web VPN solutions circumvent browser security model
Source: H Security - Posted by Alex   
Host Security US-CERT has stated that clientless SSL VPN products from various vendors' tear a hole in browser security mechanisms, allowing theft of cookies and access data. Clientless SSL VPNs rely on a secure internet connection between a user's web browser and a company web server serving various applications for out-of-office staff and providing access to additional intranet services. The solutions are known as 'clientless' because they do not require a dedicated VPN client. To make specific resources externally available via http, the web VPN solution has to rewrite URLs so http://www.intranet.example.com/mail.html, for example, becomes https://webvpnserver/www.intranet.example.com. As a result, all URLs start with the same domain, irrespective of where on the intranet the content originates. Cookies and references to objects such as document.cookies delivered by web applications are also rewritten by the VPN solution. But, according to US-CERT, in doing so, VPN products are circumventing browser same origin policies, which prevent objects and scripts from accessing data and objects loaded from other domains. Same origin policies are based on the domain name, but under an SSL VPN this is always the same webvpnserver in our example above.

According to US-CERT, an attacker could in principle set up an HTML intranet page which used the document.cookie object to read all of a victim's cookies. Although the attacker would need to prevent the VPN server from rewriting this object. According to the report, this could be achieved by obfuscating the object in the source code. Once an attacker has a victim's cookies, he is able to take over all the victim's connections to intranet servers.

Read this full article at H Security

Only registered users can write comments.
Please login or register.

Powered by AkoComment!