The OnlineBKU consists of a Java Applet that runs on the clients browser, a Java Servlet component and the actual application. The Applet is used to communicate with the smart card and the user, while the server component handles the communication to the application. The application is the component that then processes the data signed by the users citizen card. A successful signing procedure happens as following:
- The clients browser sends (HTTP POST) a request to a servlet. This requests contains the request to the Citizen Card Environment (XMLRequest), some Applet parameters (appletGuiStyle, appletWidth, appletHeight, etc.) and the DataURL.
- The Servlet responds with an HTML document that embeds the Java Applet. This document is normally shown in an iframe.
- The clients browser loads the Applet. The Applet then communicates with a Servlet.
- The user interacts with the Applet (e.g. signes a document).
- The Applet sends the signed data to a Servlet. The Servlet posts the signed data to the DataURL defined by the application (see step 1).
An attacker can do the following:
- The victim visits an attacker controlled web page while being logged in on an application that uses a vulnerable Citizen Card Environment.
- The clients browser shows the response document with the Java Applet (e.g. hidden in an invisible iframe), the Servlet send the NullOperationResponse to the attacker controlled DataURL.
The proof of concept
To demonstrate this issue I have written a tiny HTML page that demonstrates this issue: https://dl.dropbox.com/u/24455435/test_bku.html. It sends a forged request to a specified OnlineBKU installation and prints cookies of the that are visible in the origin of the OnlineBKU installation. As many installations have been updated now (and the proof of concept does not work any more on those installations) i have made a short video demonstrating the issue: https://dl.dropbox.com/u/24455435/bkuxss.mp4
Beginning with version 1.3.8 of the MOCCA OnlineBKU4 the allowed DataURLs have to be specified in a configuration file (as regular expressions). When configured correctly, that fixes this issue.