Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Distill: Death to Cookies

Distill: Death to Cookies

5c2b452f6eea4a6d84c105ebd971d2a4?s=128

Konstantin Haase

August 09, 2013
Tweet

Transcript

  1. Death to Cookies Konstantin Haase @konstantinhaase

  2. story time

  3. None
  4. None
  5. None
  6. once upon a time

  7. None
  8. None
  9. Recipetastic™

  10. None
  11. None
  12. Bob Alice

  13. Bob Alice

  14. Bob Alice Eve

  15. Bob Alice Mallet

  16. problem solved

  17. None
  18. POST /login HTTP/1.1 Host: www.recipetast.ic Content-Length: 44 email=bob@builder.com& password=st0p%20Motion

  19. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob <html> ...

  20. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob

  21. Guessing

  22. None
  23. None
  24. None
  25. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: pwd=... <html>

    ...
  26. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=...

  27. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=... Basic Auth, just

    with cookies
  28. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: token=... <html>

    ...
  29. None
  30. XSS Cross Site Scripting

  31. None
  32. can read cookie and send it somewhere

  33. None
  34. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob; HttpOnly <html> ...

  35. None
  36. can read (and write) recipes

  37. None
  38. sanitize all user input

  39. Content Security Policy

  40. None
  41. CSRF Cross Site Request Forgery

  42. Is this awesome, y/n?

  43. None
  44. GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice

  45. GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice Deadly cookies!

  46. None
  47. GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH

  48. 1 2 PUT / 2 PUT / 2 Repeatable! :)

    State change! :( Deterministic! :) https://speakerdeck.com/rkh/we-dont-know-http
  49. GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH

  50. None
  51. None
  52. None
  53. POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ...

  54. POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ... Deadly cookies!

  55. None
  56. POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice

  57. POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice

    [sic]
  58. None
  59. None
  60. Referer is not set for FTP or HTTPS referrers

  61. Referer can be spoofed by outdated flash plugin

  62. None
  63. POST /create HTTP/1.1 Host: www.recipetast.ic Origin: http://awesome- website.com Cookie: user=alice

  64. None
  65. None
  66. Not supported by older browsers

  67. Origin can probably be spoofed by outdated flash plugin

  68. None
  69. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: csrf_token=XXX

  70. None
  71. None
  72. Cheating Same Origin

  73. HTTP/1.1 200 OK Content-Type: application/json

  74. An attacker could just load it, right?

  75. AJAX can only load from the same origin (or CORS)

  76. None
  77. seems harmless

  78. In JavaScript, you can override the array constructor.

  79. https://github.com/rkh/json-csrf

  80. None
  81. Never serve JSON that has an array at top level

    (or don’t use cookies)
  82. None
  83. VBScript did not fully implement Same Origin

  84. None
  85. Block Internet Explorer before IE9

  86. Block Internet Explorer before IE9

  87. require CSRF token for all AJAX requests

  88. None
  89. Are we doing good so far?

  90. None
  91. Can we trust a cookie?

  92. DNS cache poisoning

  93. Can we trust the browser?

  94. Can we trust browser plugins?

  95. None
  96. None
  97. Signed Cookies

  98. Encrypted Cookies

  99. None
  100. Eaves- dropping

  101. encrypting cookies does not help

  102. None
  103. None
  104. None
  105. attacker cannot parse cookie from stream

  106. None
  107. Or can they?

  108. BEAST Browser Exploit Against SSL/ TLS

  109. decrypts TLS 1.0 streams via injected JavaScript

  110. None
  111. fixed in TLS 1.1

  112. force recent browser

  113. don’t allow TLS 1.0

  114. None
  115. CRIME Compression Ratio Info-leak Made Easy

  116. SSL has built-in compression

  117. GET /?user=alice HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob GET /?user=bob HTTP/1.1

    Host: www.recipetast.ic Cookie: user=bob better compression
  118. None
  119. update your browser

  120. turn off SSL compression

  121. append random number of bytes to response

  122. None
  123. BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

  124. like CRIME, but for the response

  125. attack the CSRF token, not the cookie

  126. inject something in the response http://www.recipetast.ic/search?q=XXX

  127. None
  128. mask CSRF tokens differently in every response (Rails PR pending)

  129. don’t use CSRF tokens

  130. None
  131. Do you think about all this when you build an

    app?
  132. Next attack vector around the corner?

  133. None
  134. Alternatives

  135. IP address

  136. Session ID in URL

  137. None
  138. Custom Authorization header

  139. None
  140. Store value in Local Storage

  141. Needs JavaScript :(

  142. Works well with PJAX/ Turbo Links like setups

  143. None
  144. New Browser Concepts?

  145. None
  146. @konstantinhaase konstantin@travis-ci.org rkh.im