Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Distill: Death to Cookies
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Konstantin Haase
August 09, 2013
Technology
1.2k
7
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Distill: Death to Cookies
Konstantin Haase
August 09, 2013
More Decks by Konstantin Haase
See All by Konstantin Haase
RubyConf Philippines 2017: Magenta is a Lie
rkh
0
240
How We Replaced Salary Negotiations with a Sinatra App
rkh
17
4.3k
HTTP (RubyMonsters Edition)
rkh
5
1.2k
GCRC 2015: Abstract Thoughts on Abstract Things
rkh
1
390
Frozen Rails: Magenta - The Art Of Abstraction
rkh
3
340
RedDotRubyConf 2014: Magenta is a Lie - and other tales of abstraction
rkh
0
990
Ancient City Ruby: Hack me, if you can!
rkh
2
470
Boston I/O: Continuous Integration
rkh
3
340
Steel City Ruby: Architecting Chaos
rkh
4
980
Other Decks in Technology
See All in Technology
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
300
2026 AI Memory Architecture
nagatsu
0
250
クレデンシャル流出 ― 攻撃 3 時間 vs 復旧 10 時間。この非対称性にどう備えるか
kazzpapa3
3
560
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
sh_fk2
2
410
5分でわかるDuckDB Quack
chanyou0311
3
250
AWS Security Agent といっしょに脅威モデリングをやってみよう
amarelo_n24
1
210
事業会社における 機械学習・推薦システム技術の活用事例と必要な能力 / ml-recsys-in-layerx-wantedly-2026
yuya4
0
160
時期が悪い!それでもRaspberry Piを買って遊んで活用するには / 20260627-osc26do-rpi-jikigawarui
akkiesoft
0
820
“詰む”前に仕組みを作れ 〜技術の波に溺れないためのキャッチアップ術〜
takasyou
7
3.9k
AIチャットの改善から見えた、良いAI体験とは / What Constitutes a Good AI Experience: Insights from Improving AI Chat
kubode
0
120
【FinOps】データドリブンな意思決定を目指して
z63d
0
350
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
130
Featured
See All Featured
エンジニアに許された特別な時間の終わり
watany
107
250k
Google's AI Overviews - The New Search
badams
0
1k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
180
GraphQLとの向き合い方2022年版
quramy
50
15k
Principles of Awesome APIs and How to Build Them.
keavy
128
18k
Evolving SEO for Evolving Search Engines
ryanjones
0
220
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
szymonslowik
1
1.1k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.7k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
Everyday Curiosity
cassininazir
0
240
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
210
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
210
Transcript
Death to Cookies Konstantin Haase @konstantinhaase
story time
None
None
None
once upon a time
None
None
Recipetastic™
None
None
Bob Alice
Bob Alice
Bob Alice Eve
Bob Alice Mallet
problem solved
None
POST /login HTTP/1.1 Host: www.recipetast.ic Content-Length: 44
[email protected]
& password=st0p%20Motion
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob <html> ...
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob
Guessing
None
None
None
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: pwd=... <html>
...
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=...
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=... Basic Auth, just
with cookies
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: token=... <html>
...
None
XSS Cross Site Scripting
None
can read cookie and send it somewhere
None
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob; HttpOnly <html> ...
None
can read (and write) recipes
None
sanitize all user input
Content Security Policy
None
CSRF Cross Site Request Forgery
Is this awesome, y/n?
None
GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice
GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice Deadly cookies!
None
GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH
1 2 PUT / 2 PUT / 2 Repeatable! :)
State change! :( Deterministic! :) https://speakerdeck.com/rkh/we-dont-know-http
GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH
None
None
None
POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ...
POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ... Deadly cookies!
None
POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice
POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice
[sic]
None
None
Referer is not set for FTP or HTTPS referrers
Referer can be spoofed by outdated flash plugin
None
POST /create HTTP/1.1 Host: www.recipetast.ic Origin: http://awesome- website.com Cookie: user=alice
None
None
Not supported by older browsers
Origin can probably be spoofed by outdated flash plugin
None
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: csrf_token=XXX
None
None
Cheating Same Origin
HTTP/1.1 200 OK Content-Type: application/json
An attacker could just load it, right?
AJAX can only load from the same origin (or CORS)
None
seems harmless
In JavaScript, you can override the array constructor.
https://github.com/rkh/json-csrf
None
Never serve JSON that has an array at top level
(or don’t use cookies)
None
VBScript did not fully implement Same Origin
None
Block Internet Explorer before IE9
Block Internet Explorer before IE9
require CSRF token for all AJAX requests
None
Are we doing good so far?
None
Can we trust a cookie?
DNS cache poisoning
Can we trust the browser?
Can we trust browser plugins?
None
None
Signed Cookies
Encrypted Cookies
None
Eaves- dropping
encrypting cookies does not help
None
None
None
attacker cannot parse cookie from stream
None
Or can they?
BEAST Browser Exploit Against SSL/ TLS
decrypts TLS 1.0 streams via injected JavaScript
None
fixed in TLS 1.1
force recent browser
don’t allow TLS 1.0
None
CRIME Compression Ratio Info-leak Made Easy
SSL has built-in compression
GET /?user=alice HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob GET /?user=bob HTTP/1.1
Host: www.recipetast.ic Cookie: user=bob better compression
None
update your browser
turn off SSL compression
append random number of bytes to response
None
BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
like CRIME, but for the response
attack the CSRF token, not the cookie
inject something in the response http://www.recipetast.ic/search?q=XXX
None
mask CSRF tokens differently in every response (Rails PR pending)
don’t use CSRF tokens
None
Do you think about all this when you build an
app?
Next attack vector around the corner?
None
Alternatives
IP address
Session ID in URL
None
Custom Authorization header
None
Store value in Local Storage
Needs JavaScript :(
Works well with PJAX/ Turbo Links like setups
None
New Browser Concepts?
None
@konstantinhaase
[email protected]
rkh.im