Attacking this browsing model was one of the key demos in my PacSec presentation.
Whether you know it or like it or not, your browser is likely engaging in a flurry of behind-the-scenes plain http requests. Some examples are:
- Safebrowsing updates
- OCSP or other certificate related requests
- Updating RSS feeds
So what evil can the MITM attacker do with these plain http requests? The good news is that the requests that need to be are signed (Safebrowsing and OCSP). Interestingly, a failure talking OCSP during an https initiation does not prevent the connection, but that's a separate discussion.
Specific useful attacks include:
- Attacking the exposed HTTP protocol attack surface
- Replying with a 302 redirect in order to exploit surfjacking
- Replying with a 302 redirect followed by a Set-Cookie to exploit cookie forcing
Cookie forcing is a great advanced way for an MITM to break into https web apps that are not vulnerable to surfjacking (or XSS, XSRF, XSSI, the usual stuff etc). I will detail this new attack class and its opportunities in a subsequent post. Also see Billy's nice write up on mixed content http script loading for another under-appreciated attack against https web apps.
Closing questions that could lead to future research include:
- Do Firefox / Opera / other browsers have robust OCSP response parsers?
- What can you do with evil / malformed XML responses to RSS updates?
- What about replying to a background request with an unexpected MIME type - does that expand the attack surface?
- What about other interesting or unexpected HTTP headers?