Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Distill: Death to Cookies

Distill: Death to Cookies

Konstantin Haase

August 09, 2013
Tweet

More Decks by Konstantin Haase

Other Decks in Technology

Transcript

  1. Death to
    Cookies
    Konstantin Haase
    @konstantinhaase

    View Slide

  2. story time

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. once upon a time

    View Slide

  7. View Slide

  8. View Slide

  9. Recipetastic™

    View Slide

  10. View Slide

  11. View Slide

  12. Bob
    Alice

    View Slide

  13. Bob
    Alice

    View Slide

  14. Bob
    Alice
    Eve

    View Slide

  15. Bob
    Alice
    Mallet

    View Slide

  16. problem solved

    View Slide

  17. View Slide

  18. POST /login HTTP/1.1
    Host: www.recipetast.ic
    Content-Length: 44
    [email protected]&
    password=st0p%20Motion

    View Slide

  19. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: user=bob

    ...

    View Slide

  20. GET / HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob

    View Slide

  21. Guessing

    View Slide

  22. View Slide

  23. View Slide

  24. View Slide

  25. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: user=bob
    Set-Cookie: pwd=...

    ...

    View Slide

  26. GET / HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob,pwd=...

    View Slide

  27. GET / HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob,pwd=...
    Basic Auth, just with
    cookies

    View Slide

  28. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: user=bob
    Set-Cookie: token=...

    ...

    View Slide

  29. View Slide

  30. XSS
    Cross Site Scripting

    View Slide

  31. View Slide

  32. can read cookie and
    send it somewhere

    View Slide

  33. View Slide

  34. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: user=bob;
    HttpOnly

    ...

    View Slide

  35. View Slide

  36. can read (and write)
    recipes

    View Slide

  37. View Slide

  38. sanitize all user input

    View Slide

  39. Content Security Policy

    View Slide

  40. View Slide

  41. CSRF
    Cross Site Request Forgery

    View Slide

  42. Is this awesome, y/n?

    View Slide

  43. View Slide

  44. GET /create?… HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=alice

    View Slide

  45. GET /create?… HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=alice
    Deadly cookies!

    View Slide

  46. View Slide

  47. GET, HEAD,
    OPTIONS, TRACE
    PUT, DELETE, LINK,
    UNLINK
    POST, PATCH

    View Slide

  48. 1 2
    PUT /
    2
    PUT /
    2
    Repeatable! :)
    State change! :(
    Deterministic! :)
    https://speakerdeck.com/rkh/we-dont-know-http

    View Slide

  49. GET, HEAD,
    OPTIONS, TRACE
    PUT, DELETE, LINK,
    UNLINK
    POST, PATCH

    View Slide

  50. View Slide

  51. View Slide

  52. View Slide

  53. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=alice
    ...

    View Slide

  54. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=alice
    ...
    Deadly cookies!

    View Slide

  55. View Slide

  56. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Referer: http://awesome-
    website.com/
    Cookie: user=alice

    View Slide

  57. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Referer: http://awesome-
    website.com/
    Cookie: user=alice
    [sic]

    View Slide

  58. View Slide

  59. View Slide

  60. Referer is not set for
    FTP or HTTPS
    referrers

    View Slide

  61. Referer can be spoofed by
    outdated flash plugin

    View Slide

  62. View Slide

  63. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Origin: http://awesome-
    website.com
    Cookie: user=alice

    View Slide

  64. View Slide

  65. View Slide

  66. Not supported by older
    browsers

    View Slide

  67. Origin can probably be
    spoofed by outdated
    flash plugin

    View Slide

  68. View Slide

  69. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: csrf_token=XXX

    View Slide

  70. View Slide

  71. View Slide

  72. Cheating
    Same
    Origin

    View Slide

  73. HTTP/1.1 200 OK
    Content-Type: application/json

    View Slide

  74. An attacker could just
    load it, right?

    View Slide

  75. AJAX can only load
    from the same origin
    (or CORS)

    View Slide

  76. View Slide

  77. seems harmless

    View Slide

  78. In JavaScript, you can
    override the array
    constructor.

    View Slide

  79. https://github.com/rkh/json-csrf

    View Slide

  80. View Slide

  81. Never serve JSON that
    has an array at top level
    (or don’t use cookies)

    View Slide

  82. View Slide

  83. VBScript did not fully
    implement Same Origin

    View Slide

  84. View Slide

  85. Block Internet Explorer
    before IE9

    View Slide

  86. Block Internet Explorer
    before IE9

    View Slide

  87. require CSRF token for
    all AJAX requests

    View Slide

  88. View Slide

  89. Are we doing good so far?

    View Slide

  90. View Slide

  91. Can we trust a cookie?

    View Slide

  92. DNS cache poisoning

    View Slide

  93. Can we trust the browser?

    View Slide

  94. Can we trust browser
    plugins?

    View Slide

  95. View Slide

  96. View Slide

  97. Signed Cookies

    View Slide

  98. Encrypted Cookies

    View Slide

  99. View Slide

  100. Eaves-
    dropping

    View Slide

  101. encrypting cookies
    does not help

    View Slide

  102. View Slide

  103. View Slide

  104. View Slide

  105. attacker cannot parse
    cookie from stream

    View Slide

  106. View Slide

  107. Or can they?

    View Slide

  108. BEAST
    Browser Exploit Against SSL/
    TLS

    View Slide

  109. decrypts TLS 1.0
    streams via injected
    JavaScript

    View Slide

  110. View Slide

  111. fixed in TLS 1.1

    View Slide

  112. force recent browser

    View Slide

  113. don’t allow TLS 1.0

    View Slide

  114. View Slide

  115. CRIME
    Compression Ratio Info-leak
    Made Easy

    View Slide

  116. SSL has built-in
    compression

    View Slide

  117. GET /?user=alice HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob
    GET /?user=bob HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob
    better
    compression

    View Slide

  118. View Slide

  119. update your browser

    View Slide

  120. turn off SSL
    compression

    View Slide

  121. append random
    number of bytes to
    response

    View Slide

  122. View Slide

  123. BREACH
    Browser Reconnaissance and
    Exfiltration via Adaptive
    Compression of Hypertext

    View Slide

  124. like CRIME, but for the
    response

    View Slide

  125. attack the CSRF token,
    not the cookie

    View Slide

  126. inject something in the
    response
    http://www.recipetast.ic/search?q=XXX

    View Slide

  127. View Slide

  128. mask CSRF tokens
    differently in every
    response
    (Rails PR pending)

    View Slide

  129. don’t use CSRF tokens

    View Slide

  130. View Slide

  131. Do you think about all this
    when you build an app?

    View Slide

  132. Next attack vector
    around the corner?

    View Slide

  133. View Slide

  134. Alternatives

    View Slide

  135. IP address

    View Slide

  136. Session ID in URL

    View Slide

  137. View Slide

  138. Custom Authorization
    header

    View Slide

  139. View Slide

  140. Store value in Local
    Storage

    View Slide

  141. Needs JavaScript :(

    View Slide

  142. Works well with PJAX/
    Turbo Links like setups

    View Slide

  143. View Slide

  144. New Browser
    Concepts?

    View Slide

  145. View Slide

  146. @konstantinhaase
    [email protected]
    rkh.im

    View Slide