MITM attack against non-SSL form posting to SSL

Question

I understand as per this post the theoretical possibility of an attacker manipulating non-SSL forms in transit to a victim; can anyone articulate how this manipulation might take place IRL? A step by step example including required toolset would be ideal.

Answer 1

Yes, it's possible to carry out a MITM against SSL posting.. here is how it works..

1. First you need to carry out an ARP poisoning attack against the target[victim] machine and make sure the traffic from that target machine goes through yours. Some time back I blogged about this here. You can you dsniff for this.

2. Configure sslstrip in your machine. I also blogged about this sometime back.

3. What sslstrip does is - it will remove all "https" and replace those with "http" - so the communication between target machine and you will be in clear text and you can see anything from target machine.

4. sslstrip creates an SSL connection with the end server.

Thanks...

Answer 2

• The browser dowloads the form using HTTP.
• The form is modified in transit by an attacker that changes the HTTPS post back address to its own URL.
• Once the user is ready to submit the form an HTTPS connection will be established to the server.
• Since the attacker modified the URL address the user will try to connect to the attacker.
• The attacker's server will send a certificate for authentication.
• Usually the certificate will not be trusted by the browser and the browser will warn you.
• User must press cancel otherwise the data will submitted to the attacker.
  There is also another case.
• The attacker has a certificate signed by a trusted entity.
• At this point the browser will not warn the user and the attacker will get the form data.
  If this attack successed IMO depends on how "educated" the user is.