Pwnie Awards 2017

2020 Nomination for Most Innovative Research

How to Exfiltrate Internal Information Using Web Proxies

José Moreira

This research on enterprise proxy gateways explores the mechanism that warns the user when malicious web content is being accessed. These warnings usually contain sensitive information, such as domain name, domain group, internal IP addresses and other custom fields. When a malicious web page requests a flagged resource, this resource will be replaced by a proxy user warning. Browsers will typically restrict access to the response of cross-domain requests. However, if this flagged resource is located on the same domain, the malicious web page will be able to retrieve the contents of the warning since it is not a cross-domain request and browser restrictions will not apply. This technique can be used to exfiltrate the internal information leaked on the warning messages provided by the web proxy software. This was assigned CVE-2019-3635 on McAfee, solutions from Fortiguard and Symantec are also vulnerable but those companies did not acknowledge the bug.

How to Exfiltrate Internal Information Using Web Proxies