Death toCookiesKonstantin Haase@konstantinhaase
View Slide
story time
once upon a time
Recipetastic™
BobAlice
BobAliceEve
BobAliceMallet
problem solved
POST /login HTTP/1.1Host: www.recipetast.icContent-Length: 44[email protected]&password=st0p%20Motion
HTTP/1.1 200 OKContent-Type: text/htmlSet-Cookie: user=bob...
GET / HTTP/1.1Host: www.recipetast.icCookie: user=bob
Guessing
HTTP/1.1 200 OKContent-Type: text/htmlSet-Cookie: user=bobSet-Cookie: pwd=......
GET / HTTP/1.1Host: www.recipetast.icCookie: user=bob,pwd=...
GET / HTTP/1.1Host: www.recipetast.icCookie: user=bob,pwd=...Basic Auth, just withcookies
HTTP/1.1 200 OKContent-Type: text/htmlSet-Cookie: user=bobSet-Cookie: token=......
XSSCross Site Scripting
can read cookie andsend it somewhere
HTTP/1.1 200 OKContent-Type: text/htmlSet-Cookie: user=bob;HttpOnly...
can read (and write)recipes
sanitize all user input
Content Security Policy
CSRFCross Site Request Forgery
Is this awesome, y/n?
GET /create?… HTTP/1.1Host: www.recipetast.icCookie: user=alice
GET /create?… HTTP/1.1Host: www.recipetast.icCookie: user=aliceDeadly cookies!
GET, HEAD,OPTIONS, TRACEPUT, DELETE, LINK,UNLINKPOST, PATCH
1 2PUT /2PUT /2Repeatable! :)State change! :(Deterministic! :)https://speakerdeck.com/rkh/we-dont-know-http
POST /create HTTP/1.1Host: www.recipetast.icCookie: user=alice...
POST /create HTTP/1.1Host: www.recipetast.icCookie: user=alice...Deadly cookies!
POST /create HTTP/1.1Host: www.recipetast.icReferer: http://awesome-website.com/Cookie: user=alice
POST /create HTTP/1.1Host: www.recipetast.icReferer: http://awesome-website.com/Cookie: user=alice[sic]
Referer is not set forFTP or HTTPSreferrers
Referer can be spoofed byoutdated flash plugin
POST /create HTTP/1.1Host: www.recipetast.icOrigin: http://awesome-website.comCookie: user=alice
Not supported by olderbrowsers
Origin can probably bespoofed by outdatedflash plugin
HTTP/1.1 200 OKContent-Type: text/htmlSet-Cookie: csrf_token=XXX
CheatingSameOrigin
HTTP/1.1 200 OKContent-Type: application/json
An attacker could justload it, right?
AJAX can only loadfrom the same origin(or CORS)
seems harmless
In JavaScript, you canoverride the arrayconstructor.
https://github.com/rkh/json-csrf
Never serve JSON thathas an array at top level(or don’t use cookies)
VBScript did not fullyimplement Same Origin
Block Internet Explorerbefore IE9
require CSRF token forall AJAX requests
Are we doing good so far?
Can we trust a cookie?
DNS cache poisoning
Can we trust the browser?
Can we trust browserplugins?
Signed Cookies
Encrypted Cookies
Eaves-dropping
encrypting cookiesdoes not help
attacker cannot parsecookie from stream
Or can they?
BEASTBrowser Exploit Against SSL/TLS
decrypts TLS 1.0streams via injectedJavaScript
fixed in TLS 1.1
force recent browser
don’t allow TLS 1.0
CRIMECompression Ratio Info-leakMade Easy
SSL has built-incompression
GET /?user=alice HTTP/1.1Host: www.recipetast.icCookie: user=bobGET /?user=bob HTTP/1.1Host: www.recipetast.icCookie: user=bobbettercompression
update your browser
turn off SSLcompression
append randomnumber of bytes toresponse
BREACHBrowser Reconnaissance andExfiltration via AdaptiveCompression of Hypertext
like CRIME, but for theresponse
attack the CSRF token,not the cookie
inject something in theresponsehttp://www.recipetast.ic/search?q=XXX
mask CSRF tokensdifferently in everyresponse(Rails PR pending)
don’t use CSRF tokens
Do you think about all thiswhen you build an app?
Next attack vectoraround the corner?
Alternatives
IP address
Session ID in URL
Custom Authorizationheader
Store value in LocalStorage
Needs JavaScript :(
Works well with PJAX/Turbo Links like setups
New BrowserConcepts?
@konstantinhaase[email protected]rkh.im