Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Distill: Death to Cookies
Search
Konstantin Haase
August 09, 2013
Technology
7
1.2k
Distill: Death to Cookies
Konstantin Haase
August 09, 2013
Tweet
Share
More Decks by Konstantin Haase
See All by Konstantin Haase
RubyConf Philippines 2017: Magenta is a Lie
rkh
0
200
How We Replaced Salary Negotiations with a Sinatra App
rkh
17
4.2k
HTTP (RubyMonsters Edition)
rkh
5
1.1k
GCRC 2015: Abstract Thoughts on Abstract Things
rkh
1
360
Frozen Rails: Magenta - The Art Of Abstraction
rkh
3
310
RedDotRubyConf 2014: Magenta is a Lie - and other tales of abstraction
rkh
0
940
Ancient City Ruby: Hack me, if you can!
rkh
2
430
Boston I/O: Continuous Integration
rkh
3
310
Steel City Ruby: Architecting Chaos
rkh
4
930
Other Decks in Technology
See All in Technology
Goに育てられ開発者向けセキュリティ事業を立ち上げた僕が今向き合う、AI × セキュリティの最前線 / Go Conference 2025
flatt_security
0
350
Access-what? why and how, A11Y for All - Nordic.js 2025
gdomiciano
1
110
SOC2取得の全体像
shonansurvivors
1
380
職種別ミートアップで社内から盛り上げる アウトプット文化の醸成と関係強化/ #DevRelKaigi
nishiuma
2
140
多野優介
tanoyusuke
1
430
OpenAI gpt-oss ファインチューニング入門
kmotohas
2
960
「Verify with Wallet API」を アプリに導入するために
hinakko
1
230
「AI駆動PO」を考えてみる - 作る速さから価値のスループットへ:検査・適応で未来を開発 / AI-driven product owner. scrummat2025
yosuke_nagai
4
590
バイブコーディングと継続的デプロイメント
nwiizo
2
420
空間を設計する力を考える / 20251004 Naoki Takahashi
shift_evolve
PRO
3
330
KMP の Swift export
kokihirokawa
0
330
10年の共創が示す、これからの開発者と企業の関係 ~ Crossroad
soracom
PRO
1
190
Featured
See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
61k
A Tale of Four Properties
chriscoyier
160
23k
Rebuilding a faster, lazier Slack
samanthasiow
84
9.2k
Agile that works and the tools we love
rasmusluckow
331
21k
The Language of Interfaces
destraynor
162
25k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
358
30k
Imperfection Machines: The Place of Print at Facebook
scottboms
269
13k
Fireside Chat
paigeccino
40
3.7k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Transcript
Death to Cookies Konstantin Haase @konstantinhaase
story time
None
None
None
once upon a time
None
None
Recipetastic™
None
None
Bob Alice
Bob Alice
Bob Alice Eve
Bob Alice Mallet
problem solved
None
POST /login HTTP/1.1 Host: www.recipetast.ic Content-Length: 44
[email protected]
& password=st0p%20Motion
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob <html> ...
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob
Guessing
None
None
None
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: pwd=... <html>
...
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=...
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=... Basic Auth, just
with cookies
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: token=... <html>
...
None
XSS Cross Site Scripting
None
can read cookie and send it somewhere
None
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob; HttpOnly <html> ...
None
can read (and write) recipes
None
sanitize all user input
Content Security Policy
None
CSRF Cross Site Request Forgery
Is this awesome, y/n?
None
GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice
GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice Deadly cookies!
None
GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH
1 2 PUT / 2 PUT / 2 Repeatable! :)
State change! :( Deterministic! :) https://speakerdeck.com/rkh/we-dont-know-http
GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH
None
None
None
POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ...
POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ... Deadly cookies!
None
POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice
POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice
[sic]
None
None
Referer is not set for FTP or HTTPS referrers
Referer can be spoofed by outdated flash plugin
None
POST /create HTTP/1.1 Host: www.recipetast.ic Origin: http://awesome- website.com Cookie: user=alice
None
None
Not supported by older browsers
Origin can probably be spoofed by outdated flash plugin
None
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: csrf_token=XXX
None
None
Cheating Same Origin
HTTP/1.1 200 OK Content-Type: application/json
An attacker could just load it, right?
AJAX can only load from the same origin (or CORS)
None
seems harmless
In JavaScript, you can override the array constructor.
https://github.com/rkh/json-csrf
None
Never serve JSON that has an array at top level
(or don’t use cookies)
None
VBScript did not fully implement Same Origin
None
Block Internet Explorer before IE9
Block Internet Explorer before IE9
require CSRF token for all AJAX requests
None
Are we doing good so far?
None
Can we trust a cookie?
DNS cache poisoning
Can we trust the browser?
Can we trust browser plugins?
None
None
Signed Cookies
Encrypted Cookies
None
Eaves- dropping
encrypting cookies does not help
None
None
None
attacker cannot parse cookie from stream
None
Or can they?
BEAST Browser Exploit Against SSL/ TLS
decrypts TLS 1.0 streams via injected JavaScript
None
fixed in TLS 1.1
force recent browser
don’t allow TLS 1.0
None
CRIME Compression Ratio Info-leak Made Easy
SSL has built-in compression
GET /?user=alice HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob GET /?user=bob HTTP/1.1
Host: www.recipetast.ic Cookie: user=bob better compression
None
update your browser
turn off SSL compression
append random number of bytes to response
None
BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
like CRIME, but for the response
attack the CSRF token, not the cookie
inject something in the response http://www.recipetast.ic/search?q=XXX
None
mask CSRF tokens differently in every response (Rails PR pending)
don’t use CSRF tokens
None
Do you think about all this when you build an
app?
Next attack vector around the corner?
None
Alternatives
IP address
Session ID in URL
None
Custom Authorization header
None
Store value in Local Storage
Needs JavaScript :(
Works well with PJAX/ Turbo Links like setups
None
New Browser Concepts?
None
@konstantinhaase
[email protected]
rkh.im