Clientless SSL VPN VulnerabilityDecember 1, 2009 – 6:47 AM
Clientless SSL VPNs provide browser-based access to internal and external resources without the need to install a traditional VPN client. Typically, these web VPNs are used to access intranet sites (such as an internal webmail server), but many have more capabilities, such as providing access to internal fileshares and remote desktop capabilities. To connect to a VPN, a web browser is used to authenticate to the web VPN, then the web VPN retrieves and presents the content from the requested pages.
Web VPN servers interact with clients using a process similar to what is described below:
1. The user presents credentials to the web VPN using a web browser. The authentication can be done through username and password submission, or can involve multi-factor authentication.
2. The web VPN authenticates the user and assigns an ID to the session, which is sent to the user’s browser in the form of a cookie.
3. The user can then browse internal resources, such as a webmail server or intranet webserver. URLs as viewed by the user’s web browser may be similar to https://
As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link to http://
If an attacker constructs a page that obfuscates the document.cookie element in such a way as to avoid being rewritten by the web VPN, then the document.cookie object in the returned page will represent all of the user’s cookies for the web VPN domain. Included in this document.cookie are the web VPN session ID cookie itself and all globally unique cookies set by sites requested through the web VPN. The attacker may then use these cookies to hijack the user’s VPN session and all other sessions accessed through the web VPN that rely on cookies for session identification.
Additionally, an attacker could construct a page with two frames: one hidden and one that displays a legitimate intranet site. The hidden frame could log all keys pressed in the second, benign frame and submit these keypresses as parameters to a XMLHttpRequest GET to the attacker’s site, rewritten in web VPN syntax.
Note that if the VPN server is allowed to connect to arbitrary Internet sites, these vulnerabilities can be exploited by any site on the Internet.