Reputation: 531
How to protect login form from being proxied and used in phishing attack?
asking here because I can't find exactly what I am looking for. I looked at several OWASP pages, searched using terms like "login proxy phishing", "login csrf attack" and the likes and found no useful information how to protect this kind of scenario.
Let's say you have your trusted site (T), a malicious site (M), and the user who has an account at trusted site (U).
M sends a malicious email to the user, pretending to be T. User clicks the link and is redirected to M. Now, M is acting as a proxy to your trusted site and scrapes the login page -- the form, the CSRF token if any, is there. But the form's action has been manipulated to POST to M instead of T -- allowing the malicious actor to capture the credentials, before forwarding the login request, and giving to the user T's response (redirect).
Here's the sequence diagram of the attack i'm trying to prevent:
USER MALCIOUS TRUSTED
| | |
| access site > | |
+----------------------->| scrape login form > |
| +----------------------->|
| | < give form |
| < give modified form |<-----------------------+
|<-----------------------+ |
| login > | |
+----------------------->| capture credentials |
| | and forward login > |
| +----------------------->|
| | |
| | < login success |
| | < 301 to /home |
| |<-----------------------|
| < redirect to | |
| < trusted.com/home | |
|<-----------------------+ |
| | |
| (phished!) |
| |
| |
| access site normally > |
+------------------------------------------------>|
| |
Is this actually preventable? I have a gut feeling that CSRF will not help here because the token can be easily scraped and passed back to T and it will pass. Let me know if I'm wrong.
I also think that POSTing the login using ajax will not work because the attacker can proxy everything, including assets, and modify them before serving to the victim -- and make the browser post the ajax form to the malicious site (bypassing XSS). M can then fake an XHR call using curl to forward the request to T.
I am sure this has already been thought of and solved by the experts, but english not being my first language is giving me difficulty in finding the right resources.
What are the keywords that I need to know in order to prevent this?
Upvotes: 2
Views: 205
Answers (1)
Reputation: 3659
Assume I send you a link to https://grnail.com (gmail where I try to fake m with rn which in some fonts look almost alike). Are you going to log in and put your own credentials? You are going to check the domain name if it is something you really expect.
Unfortunately most of the security at this point relies on the user and his ability to read. On the other hand sometimes reading does not help at all. There are e.g. unicode attacks that were quite popular some years ago:
- https://en.wikipedia.org/wiki/IDN_homograph_attack
- https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
Well, try it yourself in different browsers: https://www.аррӏе.com/
How to prevent this kinds of attack. You can't. Well, almost. If your site is using authentication and your users authenticate using U2F, then even if their credentials leek, the attacker will not be able to take over the account.
Upvotes: 1
Related Questions
- CSRF (Cross-site request forgery) attack example and prevention in PHP
- protect form hijacking hack
- What are the best ways to prevent your website from being Phished?
- CSRF on a login page
- Web Security: Preventing CSRF attack
- preventing cross site request forgery in the url
- How to prevent embedded requests to my webpage?
- How does asp.net know not to apply security to login.aspx? Reverse proxy is giving me issues
- How do you protect against specific CSRF attack
- How do you combat website spoofing/phishing?