Cookies Lack Integrity: Real-World Implications

Slides:

Advertisements

Similar presentations

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Advertisements

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

Chapter 10 Maintaining State Information Using Cookies.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies Cross site scripting

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.

CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.

CS453: State in Web Applications (Part 1) State in General Sessions (esp. in PHP) Prof. Tom Horton.

Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.

Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.

Chapter 8 Cookies And Security JavaScript, Third Edition.

BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Web Application Security Presented by Ben Lake. How the Web Works Hypertext Transfer Protocol (HTTP)  Application-level  Stateless Example  Web Browser.

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Robust Defenses for Cross-Site Request Forgery

Cookies Web Browser and Server use HTTP protocol to communicate and HTTP is a stateless protocol. But for a commercial website it is required to maintain.

Cookies Lack Integrity: Real-World Implications Xiaofeng Zheng (1), Jian Jiang (2), Jinjin Liang (1), Haixin Duan (1,3), Shuo Chen (4), Tao Wan (5) and.

Session and Cookie Management in.Net Sandeep Kiran Shiva UIN:

COOKIES and SESSIONS. COOKIES A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Web Database Programming Week 7 Session Management & Authentication.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

A Little Bit About Cookies Fort Collins, CO Copyright © XTR Systems, LLC A Little Bit About Cookies Instructor: Joseph DiVerdi, Ph.D., M.B.A.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

Session Tracking Lec 31. Revisiting Session Tracking HTTP is a stateless protocol  Every request is considered independent of every other request Many.

ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Cross-site request forgery Collin Jackson CS 142 Winter 2009.

Web Technologies Lecture 6 State preservation. Motivation How to keep user data while navigating on a website? – Authenticate only once – Store wish list.

PHP and Sessions. Session – a general definition The GENERAL definition of a session in the “COMPUTER WORLD” is: The interactions (requests and responses)

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.

©SoftMooreSlide 1 Cookies. ©SoftMooreSlide 2 Cookies Basic idea –web application sends a simple name/value pair to the client –when the client connects.

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

Cookies and Sessions in PHP. Arguments for the setcookie() Function There are several arguments you can use i.e. setcookie(‘name’, ‘value’, expiration,

Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.

Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.

PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Programming for the Web Cookies & Sessions Dónal Mulligan BSc MA

Web Storage and Cookies Cookies, Local and Session Storage SoftUni Team Technical Trainers Software University

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.

CSE 154 Lecture 20: Cookies.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Client / Session Identification Cookies

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Client / Session Identification Cookies

CSC 495/583 Topics of Software Security Intro to Web Security

CS320 Web and Internet Programming Cookies and Session Tracking

Web Programming Language

Exploring DOM-Based Cross Site Attacks

[Based in part on SWE 432 and SWE 632 materials by Jeff Offutt, GMU]

Presentation transcript:

Cookies Lack Integrity: Real-World Implications Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Haixin Duan, Shuo Chen, Tao Wan and Nicholas Weaver Present by Zeyi Tao

How Cookie Works Interface: a key-value like browser-side storage to maintain states Write: setcookie(name, value, expire, path, domain, secure, httponly) Read: $_COOKIE[name] Protocol: Write as a response header Stored as key-value http://login.example.com/ Set-Cookie: user=alice; domain=“.example.com”; path=/; … key value http://www.example.com/ Cookie: user=alice; … Matches cookie domain and path with the URL, Only sends name-value pairs of all matching cookies.

Cookie’s Weak Access Control Policy In the same origin policy of web, the origin is usually defined by protocol, domain, and port, isolating static/active content from different websites. The origin of cookie only includes domain. In addition, if two domains share same suffix, the suffix may be used as cookie scope and is accessible by both domains. Allows cross-domain and cross-scheme (HTTP to HTTPS) cookie injection. Set-Cookie: value=bad; domain=.example.com https://good.example.com/ http://evil.example.com/

Cookie Overwriting A cookie can be directly overwritten if its domain scope is shared with an attacker from a related domain. http://evil.example.com/ value=bad; domain=.example.com; path=/

Cookie Overwriting A cookie can be directly overwritten if its domain scope is shared with an attacker from a related domain. https://good.example.com/ Cookie: value=bad; value=bad; domain=.example.com; path=/

Cookie Shadowing Even a cookie is set with a more-specific domain, it still could be shadowed by a related domain attacker. http://evil.example.com/ value=bad; domain=.example.com; path=/home value=good; domain=good.example.com; path=/; secure

Cookie Shadowing Even a cookie is set with a more-specific domain, it still could be shadowed by a related domain attacker. https://good.example.com/home Cookie: value=bad; value=good value=good; domain=good.example.com; path=/; secure … // return the first cookie with given name for (int i=0; i<cookies.length; i++) { if (cookies[i].getName().equals(name)) return cookies[i]; } value=bad; domain=.example.com; path=/home

Motivation To understand the real-world impact of cookie injection attacks. In practice, how could an attacker inject malicious cookies into an HTTP/HTTPS session? What kind of attacks could be caused by injecting cookies? What should we do? are there possible protocol changes to improve cookie's integrity while not to break existing websites?

Pitfalls in Cookie Implementations Uncovered Implementation Quirks Browser-side Cookie Priority Sever/Script-Side Cookie Preference Cookie Storage Limitation Cookie Header Size Limit Cookie Name Cookie Path Uncovered Vulnerabilities Vulnerabilities in Handing Proxy Response Vulnerabilities in Handing Public Suffixes in Safari Vulnerabilities in Safari‘s HSTS Implementation

Uncovered Implementation Quirks

Uncovered Vulnerabilities Vulnerabilities in Handing Proxy Response

Real World Exploitations Using cookie as authentication tokens Use cookie to identify a user session Reflecting cookies into HTML Unsafe implementation of auxiliary variables: preferred language, username etc. Associating important and session independent states with cookies Session fixation

Cookies as Authentication Tokens The attacker can selectively shadow session cookies to attribute certain activities to the attacker. https://mail.google.com/a https://chat.google.com/b sessioncookie; domain=“chat.google.com”; path=/b

Reflecting cookies into HTML Every request may bring different cookie values, no matter how you set cookies previously. https://secure.boa.com/login clean cookie with path “/” Set-Cookie: value=good;path=“/” secure.boa.com/myaccounts Cookie: value=xss; value=good; “/login”: 1. Cookie Validation 2. Set Cookie with “/login”, redirection ---------------------------------------------------- “/myaccounts”: (Cookie Validation missed!) 1. Read Cookie from “/myaccounts” xss payload cookie with path “/myaccounts”

Associating important and session independent states with cookies Shopping cart tracking/manipulation on popular E-commerce websites Browsing history and purchase tracking/hijacking on Amazon Tracking of all purchases Potential hijacking of purchases

Possible Defenses Existing Solutions Our Browser Enhancements Full HSTS and Public Suffix List Defensive Cookie Practices Anomaly Detection Our Browser Enhancements Mitigating Active Network Attackers Mitigating Web Attackers

Browser Enhancements A browser MUST NOT accept a cookie presented in an HTTP response with the secure flag set, nor overwrite an unexpired secure cookie Cookies with the secure flag MUST be given higher priority over non- secure cookies. A browser MUST only send the highest priority cookie for any cookie name. In removing cookies due to a too-full cookie store, the browser MUST NOT remove a secure cookie when there are non-secure cookies that can be re moved. The browser MUST allow an HTTP connection to clear a secure cookie . The browser MUST NOT send a cookie with the “do not send” flag, nor send any non-secure cookie with the same name.

Conclusions We provided an evaluation of potential susceptible websites to cookie injection attacks. We examined both browser-side and server-side cookie implementation, in which we found several browser vulnerabilities and a number of non- conforming and/or inconsistent implementations. We demonstrated the severity and prevalence of cookie injection attacks in the real world. We developed and implemented browser-side enhancements to provide better cookie isolation.

Questions According to authors work, give one example common cookie usage which often lead to cookie injection attacks if specific defensive measures are not in place. Why network cookies are unsafe?(open questions) Is there any possible solution but without using cookies?(open questions)