Clientless SSL VPNs provide browser-based access to internal and external resources without the need to install a traditional VPN client. Typically, these web VPNs are used to access intranet sites (such as an internal webmail server), but many have more capabilities, such as providing access to internal fileshares and remote desktop capabilities. To connect to a VPN, a web browser is used to authenticate to the web VPN, then the web VPN retrieves and presents the content from the requested pages.
If an attacker constructs a page that Machine code the Document.cookie element in such a way as to avoid being rewritten by the web VPN, then the Cookie object in the returned page will represent all of the user's cookies for the web VPN domain. Included in this Cookie are the web VPN session ID cookie itself and any globally unique cookies set by sites requested through the web VPN. The attacker may then use these cookies to hijack the user's VPN session and any other sessions accessed through the web VPN that rely on cookies for session identification.
Additionally, an attacker could construct a page with two frames: one hidden and one that displays a legitimate intranet site. The hidden frame could log all keys pressed in the second, benign frame and submit these keypresses as parameters to a XMLHttpRequest GET to the attacker's site, rewritten in web VPN syntax.
By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript.
Any clientless, browser-based SSL VPN that proxies multiple domains as a single domain violates the same origin policy and is considered to be vulnerable.
Clientless SSL VPN products ship with a variety of default configurations and available security features. Some products by default provide limited or no access and require an administrator to enable specific domains (or all domains). Depending on functional and security requirements, network architecture, and available security features, it may be possible to operate a clientless SSL VPN in a way that minimizes the potential impact of these vulnerabilities
