Threat analysis of ‘Virtual Host Confusion’ on TLS

Please use this identifier to cite or link to this item: https://www.um.edu.mt/library/oar/handle/123456789/13780

Full metadata record

DC Field	Value	Language
dc.date.accessioned	2016-11-10T08:49:17Z	-
dc.date.available	2016-11-10T08:49:17Z	-
dc.date.issued	2016	-
dc.identifier.uri	https://www.um.edu.mt/library/oar//handle/123456789/13780	-
dc.description	B.SC.(HONS)COMP.SCI.	en_GB
dc.description.abstract	As CDNs and co-located domains became more common, the threat of VHC became more evident. In this study, VHC was analysed and studied to understand the fundamental aspects that cause it. In addition, an investigation was carried out to determine what an attacker might get access to, when confusion is successful. Nginx and Apache were selected to for testing to obtain a better understanding of VHC on the most prominent web server. It was found that both web servers can be configured in a way that allows such vulnerabilities to happen. It was found that the fall-back mechanism of the HTTPS multiplexer plays an important role during all of the three confusion methods. Additionally, it is understood that multiple virtual hosts on the same IP:port, need to be on the same SSL context, but how this context ID is generated is the main reason VHC occurs when shared caches or ticket keys are involved. When VHC is exploitable, only client based data is vulnerable. XSS or SQL injection leading to JavaScript injection on a domain, can be used to steal the browser data of the confused domain, even though this data is supposedly protected by SOP. Redirections to HTTP can also be exploited to expose the arguments in the URI field for the domain being confused. This, in conjunction with how OAuth, works can become a huge vulnerability when implicit authentication takes place, as the token will be exposed in plain text. From the perspective of an incident responder, memory analysis can be used to to find out if VHC attacks have been carried out, but the volatility of the request makes for a very limited view of what is happening. The default logs, when enabled, can also provide hints as to whether or not confusion has been attempted. Network analysis was also carried out, to determine the level of information an attacker can obtain by simply analysing the data on the network. It was found that an attacker can easily determine the fall-back certificates and response for an IP:port. Additionally, using network analysis, one can determine with a high probability, that two IP:ports are sharing the same ticket key. On the other hand, no information as to whether two IP:ports are sharing the same cache can be obtained using network and packet analysis.	en_GB
dc.language.iso	en	en_GB
dc.rights	info:eu-repo/semantics/restrictedAccess	en_GB
dc.subject	Computer networks	en_GB
dc.subject	HTTP (Computer network protocol)	en_GB
dc.subject	Internet -- Security measures	en_GB
dc.title	Threat analysis of ‘Virtual Host Confusion’ on TLS	en_GB
dc.type	bachelorThesis	en_GB
dc.rights.holder	The copyright of this work belongs to the author(s)/publisher. The rights of this work are as defined by the appropriate Copyright Legislation or as modified by any successive legislation. Users may access this work and can make use of the information contained in accordance with the Copyright Legislation provided that the author must be properly acknowledged. Further distribution or reproduction in any format is prohibited without the prior permission of the copyright holder.	en_GB
dc.publisher.institution	University of Malta	en_GB
dc.publisher.department	Faculty of Information & Communication Technology. Department of Computer Science	en_GB
dc.description.reviewed	N/A	en_GB
dc.contributor.creator	Bonnici, Kyle	-
Appears in Collections:	Dissertations - FacICT - 2016 Dissertations - FacICTCS - 2016

Files in This Item:

File	Description	Size	Format
16BCS002.pdf Restricted Access		1.82 MB	Adobe PDF	View/Open Request a copy

Show simple item record Statistics