Browser back and refresh button attack vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
17.04 |
Fix Released
|
High
|
Unassigned | ||
17.10 |
Fix Released
|
High
|
Unassigned | ||
18.04 |
Fix Released
|
High
|
Unassigned | ||
18.10 |
Fix Released
|
High
|
Unassigned |
Bug Description
About the vulnerability:
The back, forward and refresh buttons of the browser can be used to steal the password of a previous user. In this article we examine the vulnerability and look at ways to solve them.A web browser has the functionality to store the recent pages browsed by the user in its history. The back and forward buttons on the browser make use of this history to display the pages that the user visited recently. The browser also keeps track of the variables that were sent as part of the request to the server for each page. The refresh feature of the browser automates posting of the variables to the server thereby greatly improving the user experience while browsing.These features enhance the user experience but at the same time they expose a high risk vulnerability. This happens due to the application being insecurely designed. Attackers exploit these functionalities of the browser to obtain access to user credentials. Let’s see how this works and the solutions to overcome this problem.
Steps to reproduce: (Attached is the live POC)
- Go to login page of the application and provide the credentials
- Log yourself out from the application
- Pressed the back button, it came to login page.
- which asked me to resubmit the details.
- Credentials got captured in Burpsuite.
How to Fix (Solution that we are looking into):
use an intermediate page between the login page and the first page displayed after authentication (myhome.asp in this case). This intermediate page should be used to redirect the user via an “HTTP Redirect command” to myhome.asp after successful login. In such a scenario, the login request is redirected immediately by the intermediate page.
Reported by Shekhar Suman
http://
CVE References
information type: | Private Security → Public Security |
We'll need to ensure that the solution that we implement also works with Mahara Mobile. If the change requires changes on Mahara Mobile, then we would need to have two parallel solutions for Mobile as not everybody will be updating the the latest security release and it is out of the hands of the people downloading the app.