Hacking cookies in modern web applications and browsers



Similar documents
Hack Proof Your Webapps

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Protecting Web Applications and Users

Hack Yourself First. Troy troyhunt.com

Web Application Security

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Security Testing with Selenium

Web application security

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

APPLICATION SECURITY AND ITS IMPORTANCE

(WAPT) Web Application Penetration Testing

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

OAuth: Where are we going?

Secure Coding in Node.js

Web-Application Security

Sichere Webanwendungen mit Java

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Web Application Firewall on SonicWALL SRA

SSL and Browsers: The Pillars of Broken Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

SAP: Session (Fixation) Attacks and Protections

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

HTTPParameter Pollution. ChrysostomosDaniel

Thomas Röthlisberger IT Security Analyst

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Cloudy with a chance of 0-day

IJMIE Volume 2, Issue 9 ISSN:

The Risks of Client-Side Data Storage From cookie to database

Check list for web developers

OWASP TOP 10 ILIA

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Secure development and the SDLC. Presented By Jerry

Enterprise Application Security Workshop Series

Essential IT Security Testing

Web Application Vulnerability Testing with Nessus

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Web Application Worms & Browser Insecurity

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Preparing for the Cross Site Request Forgery Defense

The Top Web Application Attacks: Are you vulnerable?

Relax Everybody: HTML5 Is Securer Than You Think

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Web Application Security

What is Web Security? Motivation

Exploits: XSS, SQLI, Buffer Overflow

ez Agent Administrator s Guide

Chapter 1 Web Application (In)security 1

Gateway Apps - Security Summary SECURITY SUMMARY

A Tale of the Weaknesses of Current Client-side XSS Filtering

Web Application Guidelines

Cyber Security Workshop Ethical Web Hacking

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Criteria for web application security check. Version

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

P&WC Portal Settings. 1) Portal Language Setting:

DNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

SAMSUNG SMARTTV: HOW-TO TO CREATING INSECURE DEVICE IN TODAY S WORLD. Sergey Belov

Certified Secure Web Application Secure Development Checklist

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Remote Access End User Reference Guide for SHC Portal Access

Using Foundstone CookieDigger to Analyze Web Session Management

Web Application Attacks And WAF Evasion

Where every interaction matters.

Intrusion detection for web applications

Certified Secure Web Application Security Test Checklist

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Annual Web Application Security Report 2011

Next Generation Clickjacking

Request Manager Installation and Configuration Guide

Maximizing Performance with SPDY & SSL. Billy Hoffman

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Security Upgrade FAQs

Enhanced Login Security Frequently Asked Questions

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Internet Banking System Web Application Penetration Test Report

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Securing Secure Browsers

Web Application Security

Workday Mobile Security FAQ

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

Web application testing

Honeypot that can bite: Reverse penetration

Leveraging SAML for Federated Single Sign-on:

Session Management in Web Applications

April 11, (Revision 2)

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Still Aren't Doing. Frank Kim

Transcription:

Hacking cookies in modern web applications and browsers Dawid Czagan

About me Founder and CEO at Silesia Security Lab Bug hunter: security bugs found in Google, Yahoo, Mozilla, Microsoft, Twitter, Blackberry,... Trainer: Hacking web applications case studies of award-winning bugs in Google, Yahoo, Mozilla and more E-mail: dczagan@silesiasecuritylab.com Twitter: @dawidczagan

Motivation Cookies store sensitive data (session ID, CSRF token,...). Multi-factor authentication will not help, when cookies are insecurely processed. Security evaluators underestimate cookie related problems. There are problems with secure processing of cookies in modern browsers. Consequences: authorization bypass, user impersonation, remote cookie tempering, SQLi, XSS,...

Agenda Three perspectives of insecure cookie processing: web application browser RFC 6265 Selected problems will be discussed.

Secure flag & HSTS Secure flag set -> cookie sent only over HTTPS. Problem: insecure HTTP response can overwrite a cookie with Secure flag (RFC 6265; all browsers affected). HSTS (HTTP Strict Transport Security) implemented -> HTTPS traffic enforced. Problem: HSTS is not supported by Internet Explorer 10. Recommendation: use HSTS and Secure flag.

Importance of regeneration User is logged out and attacker learns user's cookie with session ID (XSS, disclosure over insecure HTTP,...). Problem: session ID has not been regenerated after successful authentication. Consequence: user impersonation Other examples: CSRF token, persistent login token,...

Server-side invalidation User logs out and cookie with session ID is deleted in user's browser. Problem: no server-side invalidation Consequence: user impersonation Assumption: attacker learned user's session ID, when user was logged in (XSS, disclosure over insecure HTTP,...).

HttpOnly flag JavaScript cannot read a cookie with HttpOnly flag. Problem: access permissions are not clearly specified in RFC 6265. Cookie with HttpOnly flag can be overwritten in Safari 8 Attack #1: switching a user to attacker's account. Profit: user enters credit card data to attacker's account. Attack #2: user impersonation Assumption: user logs in and session ID is not regenerated.

Domain attribute No domain attribute specified -> cookie will be sent only to the domain from which it originated (RFC 6265). Problem: Internet Explorer 11 will send this cookie additionally to all subdomains of this domain. Attack #1: cross-origin cookie leakage XSS on insensitive x.example.com has access to a cookie from sensitive example.com/wallet Attack #2: cookie leakage to externally managed domain (shared hosting)

Cookie tampering Problem: Safari 8 supports comma-separated list of cookies in Set-Cookie header (obsoleted RFC 2109). /index.php?lang=de,%20phpsessid=abc Attack #1: switching a user to attacker's account Attack #2: user impersonation Assumption: PHPSESSID is not regenerated after successful authentication. Attack #3: XSS via cookie More powerful attack with browser dependent exploitation

Underestimated XSS via cookie XSS via cookie local exploitation Remote attack #1: cross-origin exploitation XSS on insensitive x.example.com is used to launch XSS via cookie on sensitive y.example.com Remote attack #2: response splitting Remote attack #3: cookie tampering in Safari 8

Conclusions Security engineers/researchers should: educate development teams cooperate with browser vendors discuss/improve RFC 6265

Thanks Q&A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information