-1

i see everywhere posts of people saying mixed content like images could lead to an attacker replacing the images beeing loaded from http to https, however i couldn't exploit this after hours testing different mitm tools. Does anyone know how to actually exploit this kind of "vulnerability".

That's all, thanks in advance.

The codes and tools i tried to exploit this:

./bettercap -T [ip] -X -httpd   --> sniff and make a http server

./bettercap -T [IP] --proxy -P POST --> Proxy everything, see traffic going throw post 

xerosploit with replace images module.
Tomi Begher
  • 113
  • 1
  • 9
  • You would intercept the plain HTTP response sending the image data and replace it with other image data. This will let you replace the images, but not inject active content like JS. It's no different from the usual HTTP MITM methods. – Arminius May 31 '19 at 04:10
  • *"...however i couldn't exploit this after hours testing different mitm tools..."* - this provides not enough information of what you actually tried. But such information are needed in order to point out what you did wrong, i.e. to guide you to solve the problem. Therefore I propose to close the question as too broad. – Steffen Ullrich May 31 '19 at 05:29
  • @Arminius i know how to intercept traffic, i know how to inject js or replace images on websites that don't implement HSTS for example, so i know how to do that. however i don't know how to do it when for example images are loaded from http to https – Tomi Begher May 31 '19 at 14:33
  • @SteffenUllrich i added them now... but i doesn't help much if you don't know the tools or had use them. i am looking for someone who actually managed to do this. thanks – Tomi Begher May 31 '19 at 14:37
  • @TomiBegher There is no general way to do this. You can exploit only a specific vulnerability in a specific version of a specific software. And we don't know what browser/OS you are using. But if you search the web there's a number of vulnerabilities like the one I linked to in my answer, or https://www.mozilla.org/en-US/security/advisories/mfsa2010-41/ (a random one I just found) and then you have public issues in Project Zero like https://bugs.chromium.org/p/project-zero/issues/detail?id=1640. The catch is most of those public write-ups are about old/patched software, for obvious reasons. – Tomasz Zieliński Jun 02 '19 at 13:24
  • @TomaszZieliński you are literally talking about other vulnerabilities, this doesn't have anything to do with a specific version or software. i reccomend that you search more about this vulnerability before commenting – Tomi Begher Jun 02 '19 at 21:21
  • Possible duplicate of [Why do browsers warn about mixed content for images?](https://security.stackexchange.com/questions/17156/why-do-browsers-warn-about-mixed-content-for-images) –  Jun 05 '19 at 14:07

2 Answers2

4

Depends on what you consider a vulnerability.

  • If the images you load via HTTP are confidential, then sending them via plain HTTP violates their confidentiality.
  • If the images you load via HTTP must preserve their integrity, then sending them via plain HTTP allows an attacker to modify them.

This of course all depends on your use-case. There are some legitimate scenarios where an attacker could exploit this. Imagine you had a web application that generates a QR code for the recipient of a payment, that is designed to be scanned by a smartphone app to verify the payment. This QR code would then be sent via HTTP, while the rest of the content is sent via HTTPS.

An attacker would then modify this content, and quietly insert their own payment address instead of the original recipient. Even though the site was loaded via HTTPS, the fact that the image was loaded via HTTP generated an error.

While generally passive content is less dangerous, it's not correct to say there is no danger associated with them at all.

  • i know the theory but i am unable to find any post or something that actually does this, theorical vulnerabilities don't matter in this area. – Tomi Begher May 31 '19 at 14:31
  • 1
    @TomiBegher You asked "Is passive mixed content actually exploitable?", not "How can I exploit this specific passive mixed content?" –  May 31 '19 at 15:50
  • yes you are right, but i can't find a way or tutorial or blog or anything exploiting this, so i not sure that is actually exploitable. i want facts or proves not theory. – Tomi Begher May 31 '19 at 17:29
  • @TomiBegher What do you define as "fact" or "proof"? A story of a website which was exploited like this? A ready-made PoC module for Burp? –  Jun 01 '19 at 21:12
2

A possible scenario is that a MITM replaces an image with one that exploits an RCE (remote code execution) vulnerability in the user's browser.

Here's an example of such vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2017-2416 --basically you can serve a crafted image containing executable code and have that code executed on older versions of macOS and iOS.

Assuming that you just want to run code on the user's machine (for instance, you can perform sandbox escape) it doesn't matter whether it's a mixed content or http-only page--you serve a crafted image and the image takes things from there, so to speak.

And if your means are limited and you only target a single website, you can use a "mixed content" image to execute your code in the context of the targeted page.

So it's another reason why everything should be served through https://.

Tomasz Zieliński
  • 191
  • 3