The ALPACA attack is a new type of TLS attack that can launch cross-protocol attacks against secure websites.
TLS is an Internet standard that secures communications between servers and clients on the Internet, such as web servers, FTP servers, and mail servers. TLS is independent of the application layer and can be applied to different communication protocols.
ALPACA is an application-layer protocol content obfuscation attack that exploits TLS servers that implement different protocols. An attacker can redirect traffic from one subdomain to another, generating a valid TLS session. This would break TLS authentication and possibly further cross-protocol attacks.
The researchers analyzed TLS cross-protocol attacks and conducted a case study of web servers and found that HTTPS requests can be successfully redirected from the victim’s web browser to SMTP, IMAP, POP3, and FTP servers. In a real attack scenario, an attacker can extract session cookies and other private user data, or execute arbitrary JS content in a vulnerable web server environment, bypassing TLS and web application security measures.
The figure above shows three ways that attackers launch cross-protocol attacks on web servers and exploit vulnerable FTP and mail servers—upload attacks, download attacks, and reflection attacks. In an Upload Attack, an attacker can steal authentication cookies and other private data. In a Download Attack, an attacker can perform a stored XSS attack. In a reflection attack, an attacker can perform a reflection XSS attack in the context of the victim’s website.
The researchers conducted an attack surface analysis of web browsers and widely deployed mail and FTP servers in a lab environment and found that 1.4 million web servers were vulnerable to cross-protocol attacks. Among them, 119,000 web servers can be attacked by exploiting vulnerable application servers.
While the vulnerability is conditional and difficult to exploit, any web-savvy hacker could exploit some configuration information. In addition, the researchers analyzed other protocols and found other types of attack scenarios.
In response to similar attacks, researchers propose to use Application Layer Protocol Negotiation (ALPN) and Server Name Indication extensions to prevent tin-like cross-protocol attacks. The researchers also recommend that administrators review TLS implementations and deployments, and that server and client application developers proactively apply safeguards to all protocols.