TLS isn't just about ensuring your data remains private whilst transiting the Internet, it's also about ensuring the integrity of the data. In this post I will demonstrate a HTML injection attack and show you what a man in the middle can do with it.

injection

In a previous blog post I gave a demonstration of Session Hijacking and showed how a man in the middle can sniff the session ID of an authenticated user from HTTP traffic. This would grant the attacker access to your account and allow them to do anything that you could do whilst logged in. This is the privacy aspect of using TLS that prevents a MITM from accessing the data in transit.

In this video I'm going to demonstrate another form of protection afforded by TLS known as data integrity. That is, knowing that the data hasn't been modified by a MITM during transit and that the page you're receiving has not been modified.


As with my previous video I'm running this MITM attack against my own computer but the fundamentals remain the same. The traffic could have been intercepted and modified at any point between the web server and my browser at the end point. After some further work on this attack I realised that I could improve it by not redirecting the user to the forged login page I was hosting but that I could actually redirect them to a HTTP version of the genuine login page that I had injected code into. This is possible because the site isn't forcing traffic over HTTPS and is a perfect example of how using HTTPS ensures data integrity as I can modify the login form being hosted over HTTP.


The program I used to run this MITM attack is called Fiddler and you can grab yourself a copy over on their website. I used FiddlerScript to make on the fly modifications to HTTP responses and inject my own code into the webpages. Fiddler is a very powerful tool and, as always, you should use it responsibly!

The RVBC site was taken down after they were notified of these and other security flaws in their website. Update 1, Update 2. To date the features of the site are not yet back online.  

Scott.
Short URL: https://scotthel.me/TLSIntegrity