Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Distill: Death to Cookies

Distill: Death to Cookies

Konstantin Haase

August 09, 2013
Tweet

More Decks by Konstantin Haase

Other Decks in Technology

Transcript

  1. Death to
    Cookies
    Konstantin Haase
    @konstantinhaase

    View full-size slide

  2. once upon a time

    View full-size slide

  3. Recipetastic™

    View full-size slide

  4. Bob
    Alice
    Mallet

    View full-size slide

  5. problem solved

    View full-size slide

  6. POST /login HTTP/1.1
    Host: www.recipetast.ic
    Content-Length: 44
    [email protected]&
    password=st0p%20Motion

    View full-size slide

  7. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: user=bob

    ...

    View full-size slide

  8. GET / HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob

    View full-size slide

  9. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: user=bob
    Set-Cookie: pwd=...

    ...

    View full-size slide

  10. GET / HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob,pwd=...

    View full-size slide

  11. GET / HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob,pwd=...
    Basic Auth, just with
    cookies

    View full-size slide

  12. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: user=bob
    Set-Cookie: token=...

    ...

    View full-size slide

  13. XSS
    Cross Site Scripting

    View full-size slide

  14. can read cookie and
    send it somewhere

    View full-size slide

  15. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: user=bob;
    HttpOnly

    ...

    View full-size slide

  16. can read (and write)
    recipes

    View full-size slide

  17. sanitize all user input

    View full-size slide

  18. Content Security Policy

    View full-size slide

  19. CSRF
    Cross Site Request Forgery

    View full-size slide

  20. Is this awesome, y/n?

    View full-size slide

  21. GET /create?… HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=alice

    View full-size slide

  22. GET /create?… HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=alice
    Deadly cookies!

    View full-size slide

  23. GET, HEAD,
    OPTIONS, TRACE
    PUT, DELETE, LINK,
    UNLINK
    POST, PATCH

    View full-size slide

  24. 1 2
    PUT /
    2
    PUT /
    2
    Repeatable! :)
    State change! :(
    Deterministic! :)
    https://speakerdeck.com/rkh/we-dont-know-http

    View full-size slide

  25. GET, HEAD,
    OPTIONS, TRACE
    PUT, DELETE, LINK,
    UNLINK
    POST, PATCH

    View full-size slide

  26. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=alice
    ...

    View full-size slide

  27. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=alice
    ...
    Deadly cookies!

    View full-size slide

  28. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Referer: http://awesome-
    website.com/
    Cookie: user=alice

    View full-size slide

  29. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Referer: http://awesome-
    website.com/
    Cookie: user=alice
    [sic]

    View full-size slide

  30. Referer is not set for
    FTP or HTTPS
    referrers

    View full-size slide

  31. Referer can be spoofed by
    outdated flash plugin

    View full-size slide

  32. POST /create HTTP/1.1
    Host: www.recipetast.ic
    Origin: http://awesome-
    website.com
    Cookie: user=alice

    View full-size slide

  33. Not supported by older
    browsers

    View full-size slide

  34. Origin can probably be
    spoofed by outdated
    flash plugin

    View full-size slide

  35. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: csrf_token=XXX

    View full-size slide

  36. Cheating
    Same
    Origin

    View full-size slide

  37. HTTP/1.1 200 OK
    Content-Type: application/json

    View full-size slide

  38. An attacker could just
    load it, right?

    View full-size slide

  39. AJAX can only load
    from the same origin
    (or CORS)

    View full-size slide

  40. seems harmless

    View full-size slide

  41. In JavaScript, you can
    override the array
    constructor.

    View full-size slide

  42. https://github.com/rkh/json-csrf

    View full-size slide

  43. Never serve JSON that
    has an array at top level
    (or don’t use cookies)

    View full-size slide

  44. VBScript did not fully
    implement Same Origin

    View full-size slide

  45. Block Internet Explorer
    before IE9

    View full-size slide

  46. Block Internet Explorer
    before IE9

    View full-size slide

  47. require CSRF token for
    all AJAX requests

    View full-size slide

  48. Are we doing good so far?

    View full-size slide

  49. Can we trust a cookie?

    View full-size slide

  50. DNS cache poisoning

    View full-size slide

  51. Can we trust the browser?

    View full-size slide

  52. Can we trust browser
    plugins?

    View full-size slide

  53. Signed Cookies

    View full-size slide

  54. Encrypted Cookies

    View full-size slide

  55. Eaves-
    dropping

    View full-size slide

  56. encrypting cookies
    does not help

    View full-size slide

  57. attacker cannot parse
    cookie from stream

    View full-size slide

  58. Or can they?

    View full-size slide

  59. BEAST
    Browser Exploit Against SSL/
    TLS

    View full-size slide

  60. decrypts TLS 1.0
    streams via injected
    JavaScript

    View full-size slide

  61. fixed in TLS 1.1

    View full-size slide

  62. force recent browser

    View full-size slide

  63. don’t allow TLS 1.0

    View full-size slide

  64. CRIME
    Compression Ratio Info-leak
    Made Easy

    View full-size slide

  65. SSL has built-in
    compression

    View full-size slide

  66. GET /?user=alice HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob
    GET /?user=bob HTTP/1.1
    Host: www.recipetast.ic
    Cookie: user=bob
    better
    compression

    View full-size slide

  67. update your browser

    View full-size slide

  68. turn off SSL
    compression

    View full-size slide

  69. append random
    number of bytes to
    response

    View full-size slide

  70. BREACH
    Browser Reconnaissance and
    Exfiltration via Adaptive
    Compression of Hypertext

    View full-size slide

  71. like CRIME, but for the
    response

    View full-size slide

  72. attack the CSRF token,
    not the cookie

    View full-size slide

  73. inject something in the
    response
    http://www.recipetast.ic/search?q=XXX

    View full-size slide

  74. mask CSRF tokens
    differently in every
    response
    (Rails PR pending)

    View full-size slide

  75. don’t use CSRF tokens

    View full-size slide

  76. Do you think about all this
    when you build an app?

    View full-size slide

  77. Next attack vector
    around the corner?

    View full-size slide

  78. Alternatives

    View full-size slide

  79. Session ID in URL

    View full-size slide

  80. Custom Authorization
    header

    View full-size slide

  81. Store value in Local
    Storage

    View full-size slide

  82. Needs JavaScript :(

    View full-size slide

  83. Works well with PJAX/
    Turbo Links like setups

    View full-size slide

  84. New Browser
    Concepts?

    View full-size slide