Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Distill: Death to Cookies

5c2b452f6eea4a6d84c105ebd971d2a4?s=47 Konstantin Haase
August 09, 2013
Technology
7
870

Distill: Death to Cookies

5c2b452f6eea4a6d84c105ebd971d2a4?s=128

Konstantin Haase

August 09, 2013
Tweet

More Decks by Konstantin Haase

See All by Konstantin Haase
RubyConf Philippines 2017: Magenta is a Lie
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
0
170
How We Replaced Salary Negotiations with a Sinatra App
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
17
3.5k
HTTP (RubyMonsters Edition)
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
5
720
GCRC 2015: Abstract Thoughts on Abstract Things
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
1
310
Frozen Rails: Magenta - The Art Of Abstraction
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
3
240
RedDotRubyConf 2014: Magenta is a Lie - and other tales of abstraction
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
0
540
Ancient City Ruby: Hack me, if you can!
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
2
360
Boston I/O: Continuous Integration
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
3
240
Steel City Ruby: Architecting Chaos
5c2b452f6eea4a6d84c105ebd971d2a4?s=48 rkh
4
660

Other Decks in Technology

See All in Technology
AWSを使う上で意識しておきたい、クラウドセキュリティ超入門(駆け足版)
Cc073a7c6b0a79918ff1da48acb709e7?s=48 kkmory
0
220
ECS Exec を使った ECS の トラブルシューティング
6378d4cb0e5e7cfabe13d144827a6a28?s=48 dohara
0
170
CloudWatchアラームによるサービス継続のための監視入門 / Introduction to Monitoring for Service Continuity with CloudWatch Alarms
107ea34bd4da51e40f1c30b9ca0c459e?s=48 inomasosan
1
450
You're M̶u̶t̶e̶d̶ Rooted
Cc23340e1d811f083fb8d2dd1213c42b?s=48 patrickwardle
1
8.4k
セキュキャンを卒業してその後
1f745ff900e1be51aedae18cae76593c?s=48 kurochan
0
600
金融領域のマルチプロダクトを効率よく開発・運用するためのシステム基盤と組織設計について / 2022-07-28-multi-product-platform
0251532f4fb413ea1a026efe6eb16b87?s=48 stajima
0
150
Microsoft Azure を使い始める前に Azure Active Directory と Azure サブスクリプションの役割や関係性を正しく理解する
A01eab9adbf2ff21c28289ff1c996232?s=48 yoshiakioi
0
160
ECS on EC2 で Auto Scaling やってみる!
5a6e159c3f74fb7bd85e62efe5f34e2b?s=48 sayjoy
1
290
Step-by-Step MLOps and Microsoft Products
0fa6038e477031fcca028bab0efe07e3?s=48 shisyu_gaku
3
630
AWS CLI でやってみる ~ AWS Hands-on for Beginners ECS ハンズオン ~
8785139c395ce2345ce535822b522dde?s=48 kentosuzuki
1
560
Micro frontends and micro services
Acc7788c2c6d2c4b43b875fcad502cd2?s=48 kashif98
0
160
20220731 如何跟隨開源技術保持你的職涯發展
D907136acebc72f1df878541b26f271a?s=48 pichuang
0
120

Featured

See All Featured
The Language of Interfaces
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
21k
Distributed Sagas: A Protocol for Coordinating Microservices
9128d500301ae51524e887bb680f471d?s=48 caitiem20
316
19k
Fireside Chat
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
13
1.4k
What’s in a name? Adding method to the madness
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.6k
Practical Orchestrator
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
178
8.7k
Become a Pro
828ace851b606e1206900f26459f55ad?s=48 speakerdeck
PRO
3
910
Statistics for Hackers
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
782
210k
Building Better People: How to give real-time feedback that sticks.
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
344
17k
Put a Button on it: Removing Barriers to Going Fast.
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
56
2.3k
Writing Fast Ruby
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
612
57k
Code Review Best Practice
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
44
9.8k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
173
8.6k

Transcript

  1. Death to Cookies Konstantin Haase @konstantinhaase

  2. story time

  3. None
  4. None
  5. None

  6. once upon a time

  7. None
  8. None

  9. Recipetastic™

  10. None
  11. None

  12. Bob Alice

  13. Bob Alice

  14. Bob Alice Eve

  15. Bob Alice Mallet

  16. problem solved

  17. None

  18. POST /login HTTP/1.1 Host: www.recipetast.ic Content-Length: 44 email=bob@builder.com& password=st0p%20Motion

  19. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob <html> ...

  20. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob

  21. Guessing

  22. None
  23. None
  24. None

  25. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: pwd=... <html>

    ...

  26. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=...

  27. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=... Basic Auth, just

    with cookies

  28. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: token=... <html>

    ...
  29. None

  30. XSS Cross Site Scripting

  31. None

  32. can read cookie and send it somewhere

  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob; HttpOnly <html> ...

  35. None

  36. can read (and write) recipes

  37. None

  38. sanitize all user input

  39. Content Security Policy

  40. None

  41. CSRF Cross Site Request Forgery

  42. Is this awesome, y/n?

  43. None

  44. GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice

  45. GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice Deadly cookies!

  46. None

  47. GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH

  48. 1 2 PUT / 2 PUT / 2 Repeatable! :)

    State change! :( Deterministic! :) https://speakerdeck.com/rkh/we-dont-know-http

  49. GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH

  50. None
  51. None
  52. None

  53. POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ...

  54. POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ... Deadly cookies!

  55. None

  56. POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice

  57. POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice

    [sic]
  58. None
  59. None

  60. Referer is not set for FTP or HTTPS referrers

  61. Referer can be spoofed by outdated flash plugin

  62. None

  63. POST /create HTTP/1.1 Host: www.recipetast.ic Origin: http://awesome- website.com Cookie: user=alice

  64. None
  65. None

  66. Not supported by older browsers

  67. Origin can probably be spoofed by outdated flash plugin

  68. None

  69. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: csrf_token=XXX

  70. None
  71. None

  72. Cheating Same Origin

  73. HTTP/1.1 200 OK Content-Type: application/json

  74. An attacker could just load it, right?

  75. AJAX can only load from the same origin (or CORS)

  76. None

  77. seems harmless

  78. In JavaScript, you can override the array constructor.

  79. https://github.com/rkh/json-csrf

  80. None

  81. Never serve JSON that has an array at top level

    (or don’t use cookies)
  82. None

  83. VBScript did not fully implement Same Origin

  84. None

  85. Block Internet Explorer before IE9

  86. Block Internet Explorer before IE9

  87. require CSRF token for all AJAX requests

  88. None

  89. Are we doing good so far?

  90. None

  91. Can we trust a cookie?

  92. DNS cache poisoning

  93. Can we trust the browser?

  94. Can we trust browser plugins?

  95. None
  96. None

  97. Signed Cookies

  98. Encrypted Cookies

  99. None

  100. Eaves- dropping

  101. encrypting cookies does not help

  102. None
  103. None
  104. None

  105. attacker cannot parse cookie from stream

  106. None

  107. Or can they?

  108. BEAST Browser Exploit Against SSL/ TLS

  109. decrypts TLS 1.0 streams via injected JavaScript

  110. None

  111. fixed in TLS 1.1

  112. force recent browser

  113. don’t allow TLS 1.0

  114. None

  115. CRIME Compression Ratio Info-leak Made Easy

  116. SSL has built-in compression

  117. GET /?user=alice HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob GET /?user=bob HTTP/1.1

    Host: www.recipetast.ic Cookie: user=bob better compression
  118. None

  119. update your browser

  120. turn off SSL compression

  121. append random number of bytes to response

  122. None

  123. BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

  124. like CRIME, but for the response

  125. attack the CSRF token, not the cookie

  126. inject something in the response http://www.recipetast.ic/search?q=XXX

  127. None

  128. mask CSRF tokens differently in every response (Rails PR pending)

  129. don’t use CSRF tokens

  130. None

  131. Do you think about all this when you build an

    app?

  132. Next attack vector around the corner?

  133. None

  134. Alternatives

  135. IP address

  136. Session ID in URL

  137. None

  138. Custom Authorization header

  139. None

  140. Store value in Local Storage

  141. Needs JavaScript :(

  142. Works well with PJAX/ Turbo Links like setups

  143. None

  144. New Browser Concepts?

  145. None

  146. @konstantinhaase konstantin@travis-ci.org rkh.im