Presentation is loading. Please wait.

Presentation is loading. Please wait.

John Mitchell (based on Dan’s previous slides)

Published byJulia Page Modified over 5 years ago

Similar presentations

Presentation on theme: "John Mitchell (based on Dan’s previous slides)"— Presentation transcript:

1 John Mitchell (based on Dan’s previous slides)
CS 155 Spring 2018 Web Security Session Management John Mitchell (based on Dan’s previous slides)

2 Outline Cookie fundamentals Web session management
Cookie policy: setting and retrieving cookies Cookie protocol problems Web session management Session state and authentication Session hijacking Token stealing Session fixation

3 Review from Lecture 8 Cookies: client state

4 HTTP is stateless protocol; cookies add state
Used to store state on user’s machine POST … Server Browser HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Server Browser POST … Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state

5 Cookie authentication
Browser Web Server Auth server POST login.cgi Username & pwd Validate user Set-cookie: auth=val auth=val Store val GET restricted.html Cookie: auth=val restricted.html auth=val Check val If YES, restricted.html YES/NO

6 Outline Cookie fundamentals Web session management
Cookie policy: setting and retrieving cookies Cookie protocol problems Web session management Session state and authentication Session hijacking Token stealing Session fixation

7 Same origin policy: review
Review: Same Origin Policy (SOP) for DOM: Origin A can access origin B’s DOM if match on (scheme, domain, port) This lecture: Same Original Policy (SOP) for cookies: Based on: ([scheme], domain, path) optional scheme://domain:port/path?params

8 Setting/deleting cookies by server
GET … Server Browser HTTP Header: Set-cookie: NAME=VALUE ; domain = (when to send) ; path = (when to send) secure = (only send over SSL); expires = (when expires) ; HttpOnly SameSite = [lax | strict] scope if expires=NULL: this session only if expires=past date: browser deletes cookie weak XSS defense weak CSRF defense SameSite cockies: e.g. do not send cookie on a cross-site POST request (strict means never send cookie on cross-site request). Supported in Chrome 51. Default scope is domain and path of setting URL

9 Scope setting rules (write SOP)
domain: any domain-suffix of URL-hostname, except TLD example: host = “login.site.com” login.site.com can set cookies for all of .site.com but not for another site or TLD Problematic for sites like .stanford.edu (and some hosting centers) path: can be set to anything allowed domains login.site.com .site.com disallowed domains other.site.com othersite.com .com

10 Cookies are identified by (name,domain,path)
name = userid value = test domain = login.site.com path = / secure cookie 2 name = userid value = test123 domain = .site.com path = / secure distinct cookies Both cookies stored in browser’s cookie jar both are in scope of login.site.com

11 Reading cookies on server (read SOP)
Browser GET //URL-domain/URL-path Cookie: NAME = VALUE Browser sends all cookies in URL scope: cookie-domain is domain-suffix of URL-domain, and cookie-path is prefix of URL-path, and [protocol=HTTPS if cookie is “secure”] Goal: server only sees cookies in its scope

12 Examples cookie 1 name = userid value = u1 domain = login.site.com
both set by login.site.com cookie 1 name = userid value = u1 domain = login.site.com path = / secure cookie 2 name = userid value = u2 domain = .site.com path = / non-secure cookie: userid=u2 cookie: userid=u1; userid=u2 FF3: most specific cookie sent first

13 Client side read/write: document.cookie
Setting a cookie in Javascript: document.cookie = “name=value; expires=…; ” Reading a cookie: alert(document.cookie) prints string containing all cookies available for document (based on [protocol], domain, path) Deleting a cookie: document.cookie = “name=; expires= Thu, 01-Jan-70” SOP: same as server-side read/write. HttpOnly cookies: not included in document.cookie

14 javascript: alert(document.cookie)
Javascript URL javascript: alert(document.cookie) Displays all cookies for current document

15 Outline Cookie fundamentals Web session management
Cookie policy: setting and retrieving cookies Cookie protocol problems Web session management Session state and authentication Session hijacking Token stealing Session fixation

16 Cookie protocol problems
Server is blind: Does not see cookie attributes (e.g. secure, HttpOnly) Does not see which domain set the cookie Server only sees: Cookie: NAME=VALUE RFC 2109 (cookie RFC) has an option for including domain, path in Cookie header, but not supported by browsers.

17 Example 1: login server problems
Alice logs in at login.site.com login.site.com sets session-id cookie for .site.com 2. Alice visits evil.site.com overwrites .site.com session-id cookie with session-id of user “badguy” 3. Alice visits course.site.com to submit homework course.site.com thinks it is talking to “badguy” Problem: course.site.com expects session-id from login.site.com; cannot tell that session-id cookie was overwritten Writes creditcard number into attacker’s account. Common in hosting providers.

18 Example 2: “secure” cookies are not secure
Alice logs in at Alice visits (cleartext) Network attacker can inject into response Set-Cookie: SSID=badguy; secure and overwrite secure cookie Problem: network attacker can re-write HTTPS cookies ! HTTPS cookie value cannot be trusted set-cookie: SSID=A7_ESAgDpKYk5TGnf; Domain=.google.com; Path=/ ; Expires=Wed, 09-Mar :35:11 GMT; Secure; HttpOnly set-cookie: SAPISID=wj1gYKLFy-RmWybP/ANtKMtPIHNambvdI4; Domain=.google.com;Path=/ ; Expires=Wed, 09-Mar :35:11 GMT; Secure Alice visits automatically due to phishing filter

19 Interaction with the DOM SOP
Cookie SOP path separation: x.com/A does not see cookies of x.com/B Not a security measure: x.com/A has access to DOM of x.com/B <iframe src=“x.com/B"></iframe> alert(frames[0].document.cookie); Path separation is done for efficiency not security: x.com/A is only sent the cookies it needs

20 Cookies have no integrity
User can change and delete cookie values Edit cookie database (FF: cookies.sqlite) Modify Cookie header (FF: TamperData extension) Silly example: shopping cart software Set-cookie: shopping-cart-total = ($) User edits cookie file (cookie poisoning): Cookie: shopping-cart-total = ($) Similar problem with hidden fields <INPUT TYPE=“hidden” NAME=price VALUE=“150”> 21 21

21 Not so silly … (old) Source: http://xforce.iss.net/xforce/xfdb/4621
D3.COM Pty Ltd: ShopFactory 5.8 @Retail Adgrafix: Check It Out Baron Consulting Group: WebSite Tool ComCity Corporation: SalesCart Crested Butte Software: EasyCart Dansie.net: Dansie Shopping Cart Intelligent Vending Systems: Intellivend Make-a-Store: Make-a-Store OrderPage McMurtrey/Whitaker & Associates: Cart32 3.0 CartMan 1.04 Rich Media Technologies: JustAddCommerce 5.0 SmartCart: SmartCart Web Express: Shoptron 1.2 All these shopping carts stored data on browser Source: 22 22

22 Solution: cryptographic checksums
Goal: data integrity Requires server-side secret key k unknown to browser Generate tag: T ⟵ MACsign(k, SID ll name ll value ) Server Browser Set-Cookie: NAME = value T k Cookie: NAME = value T Verify tag: MACverify(k, SID ll name ll value, T) non-keyed checksums (e.g. CRC) are insufficient for this purpose !! Can still swap with cookies from another active session. Bind to IP address? Binding to session-id (SID) makes it harder to replay old cookies

23 Example: ASP.NET System.Web.Configuration.MachineKey
Secret web server key intended for cookie protection Creating an encrypted cookie with integrity: HttpCookie cookie = new HttpCookie(name, val); HttpCookie encodedCookie = HttpSecureCookie.Encode (cookie); Decrypting and validating an encrypted cookie: HttpSecureCookie.Decode (cookie); Attack: 24

24 Outline Cookie fundamentals Web session management
Cookie policy: setting and retrieving cookies Cookie protocol problems Web session management Session state and authentication Session hijacking Token stealing Session fixation

25 Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (e.g. Gmail) or short without session mgmt: users would have to constantly re-authenticate Session mgmt: authorize user once; All subsequent requests are tied to user

26 Pre-history: HTTP auth
HTTP request: GET /index.html HTTP response contains: WWW-Authenticate: Basic realm="Password Required“ Browsers sends hashed password on all subsequent HTTP requests: Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ=

27 HTTP auth problems Hardly used in commercial sites:
User cannot log out other than by closing browser What if user has multiple accounts? multiple users on same machine? Site cannot customize password dialog Confusing dialog to users Easily spoofed

28 Session tokens GET /index.html set anonymous session token
web site Browser GET /index.html set anonymous session token GET /books.html anonymous session token check credentials (crypto) POST /do-login Username & password elevate to a logged-in session token POST /checkout logged-in session token Validate token Validate token: check that it belongs to an active session that has not been logged out or timed out.

29 Storing session tokens: Lots of options (but none are perfect)
Browser cookie: Set-Cookie: SessionToken=fduhye63sfdb Embed in all URL links: ? SessionToken=kh7y3b In a hidden form field: <input type=“hidden” name=“sessionid” value=“kh7y3b”>

30 Storing session tokens: problems
Browser cookie: browser sends cookie with every request, even when it should not (CSRF) Embed in all URL links: token leaks via HTTP Referer header In a hidden form field: does not work for long-lived sessions Best answer: a combination of all of the above. (or if user posts URL in a public blog)

31 The HTTP referer header
Referer leaks URL session token to 3rd parties Referer supression: not sent when HTTPS site refers to an HTTP site in HTML5: <a rel=”noreferrer” href=

32 The Logout Process Web sites must provide a logout function:
Functionality: let user to login as different user Security: prevent others from abusing account What happens during logout: 1. Delete SessionToken from client 2. Mark session token as expired on server Problem: many web sites do (1) but not (2) !! ⇒ Especially risky for sites who fall back to HTTP after login

33 Outline Cookie fundamentals Web session management
Cookie policy: setting and retrieving cookies Cookie protocol problems Web session management Session state and authentication Session hijacking Token stealing Session fixation

34 Session hijacking Attacker waits for user to login then attacker steals user’s Session Token and “hijacks” session ⇒ attacker can issue arbitrary requests on behalf of user Example: FireSheep [2010] Firefox extension that hijacks Facebook session tokens over WiFi. Solution: HTTPS after login

35 Beware: Predictable tokens
Example 1: counter ⇒ user logs in, gets counter value, can view sessions of other users Example 2: weak MAC token = { userid, MACk(userid) } Weak MAC exposes k from few cookies. Apache Tomcat: generateSessionId() Returns random session ID [server retrieves client state based on sess-id] Don’t generate your own. Use built in procedures: ASP, Tomcat, JServ

36 Session tokens must be unpredictable to attacker
To generate: use underlying framework (e.g. ASP, Tomcat, Rails) Rails: token = MD5( current time, random nonce ) Don’t generate your own. Use built in procedures: ASP, Tomcat, JServ

37 Beware: Session token theft
Example 1: login over HTTPS, but subsequent HTTP Enables cookie theft at wireless Café (e.g. Firesheep) Other ways network attacker can steal token: Site has mixed HTTPS/HTTP pages ⇒ token sent over HTTP Man-in-the-middle attacks on SSL Example 2: Cross Site Scripting (XSS) exploits Amplified by poor logout procedures: Logout must invalidate token on server

38 Mitigating SessionToken theft by binding
Mitigating SessionToken theft by binding SessionToken to client’s computer A common idea: embed machine specific data in SID Client IP addr: makes it harder to use token at another machine But honest client may change IP addr during session client will be logged out for no reason. Client user agent: weak defense against theft, but doesn’t hurt. SSL session id: same problem as IP address (and even worse) Can also embed agent’s timezone.

39 Session fixation attacks
Suppose attacker can set the user’s session token: For URL tokens, trick user into clicking on URL For cookie tokens, set using XSS exploits Attack: (say, using URL tokens) Attacker gets anonymous session token for site.com Sends URL to user with attacker’s session token User clicks on URL and logs into site.com this elevates attacker’s token to logged-in token Attacker uses elevated token to hijack user’s session.

40 Session fixation: lesson
When elevating user from anonymous to logged-in: always issue a new session token After login, token changes to value unknown to attacker ⇒ Attacker’s token is not elevated. Problems with new SessionToken after every request: the back button (but can be dealt with with proper handling of replays)

41 Summary Cookie fundamentals Web session management
Cookie policy: setting and retrieving cookies Cookie protocol problems Web session management Session state and authentication Session hijacking Token stealing Session fixation

42 Final thoughts Always assume cookie data retrieved from client is adversarial Session tokens are split across multiple client state mechanisms: Cookies, hidden form fields, URL parameters Cookies by themselves are insecure (CSRF, cookie overwrite) Session tokens must be unpredictable and resist theft by network attacker Ensure logout invalidates session on server

Download ppt "John Mitchell (based on Dan’s previous slides)"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.

Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.

Session Management Dan Boneh CS 142 Winter Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web Security: Session Management

Web Security: Session Management
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Cookies Cross site scripting

Cookies Cross site scripting
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Similar presentations

Ads by Google