Cookie Tossing - Methodology

Transcript

1. So  what’s  wrong?   Try  tossing  the  cookies  

2. Cookie  Browser  Variables  

3. What  can  we  do?   •  From  pr.bank.com,  we  can

    set  a  cookie  with     – name:  csrf_token   – value:  i_swear_this_is_a_nonce   – domain:  .bank.com   •  And  secure.bank.com  would  now  receive  the   cookie  

4. How  is  this  a  problem?   •  secure.bank.com  can  surely

    differenHate   between  the  cookies  it  sets  and  the  ones  from   pr.bank.com,  no?  

5. Cookie  Transmission  Format  

6. Back  to  our  example  transmission   •  Remember  that  pr.bank.com

    set  a  cookie   for  .bank.com   •  When  user  revisits  (legiHmately  or  otherwise)   secure.bank.com,     – Cookie:     csrf_token=wwssadadba;     csrf_token=  i_swear_this_is_a_nonce;  

7. Now  do  we  have  a  problem?   •  Hold  on

    there,  cowboy!  Not  just  yet!   •  Web  Frameworks  take  the  first  cookie  value   when  it  needs  to  resolve  mulHple  cookies  with   the  same  name   •  Hence,   – Cookie:     csrf_token=wwssadadba;     csrf_token=  i_swear_this_is_a_nonce;  

8. Cookie  Browser  Variables  

9. Ordering  of  duplicate  cookies  with   different  scope   MSIE

    6   MSIE  7   MSIE  8   FF  2   FF  3   Random   Random   Some  Dropped   Some  Dropped   Most  Specific   First   Safari   Opera   Chrome   Android   Random   Most  Specific   First   Most  Specific   First   By  Age   From  Google  Browser  Security  Handbook,  Part  2   hYp://code.google.com/p/browsersec/wiki/Part2  

10. This  is  what  we  will  do   •  From  pr.bank.com,

     we  set  a  cookie  with     – name:  csrf_token   – value:  i_swear_this_is_a_nonce   – domain:  .bank.com   – path:  /transfer_payment   •  Hence,  for  secure.bank.com,     – Cookie:     csrf_token=  i_swear_this_is_a_nonce;     csrf_token=wwssadadba;    

11. Let’s  replay  the  aYack  scenario   This  Hme  with  the

     aYacker   controlling  a  sub-­‐domain  of  the  site  

12. Bypassing  Double  Submit  Cookies   Web  Server   secure.bank.com  

    Client   CSRF  Nonce   AYacker   pr.bank.com  

13. Cookies   Client   CSRF  Nonce   Session  ID  

    Form   CSRF  Nonce   Email  Add.   Bypassing  Double  Submit  Cookies   Web  Server   secure.bank.com   AYacker   pr.bank.com  

14. Cookies   Client   CSRF  Nonce   Session  ID  

    Bypassing  Double  Submit  Cookies   Web  Server   secure.bank.com   AYacker   pr.bank.com  

15. Cookies   Client   CSRF  Nonce   Session  ID  

    Malicious  Form   Bad  Nonce   [email protected]   Bypassing  Double  Submit  Cookies   Web  Server   secure.bank.com   AYacker   pr.bank.com   Malicious   Cookies   Bad  Nonce  

16. Cookies   Client   Bad  Nonce   Session  ID  

    Malicious  Form   Bad  Nonce   [email protected]   Bypassing  Double  Submit  Cookies   Web  Server   secure.bank.com   AYacker   pr.bank.com   CSRF  Nonce  

17. Client   Bypassing  Double  Submit  Cookies   Web  Server  

    secure.bank.com   AYacker   pr.bank.com   Cookies   Bad  Nonce   Session  ID   Malicious  Form   Bad  Nonce   [email protected]   CSRF  Nonce  

18. Client   Equal?  Yes:  Accept!   Bypassing  Double  Submit  Cookies

      Web  Server   secure.bank.com   AYacker   pr.bank.com   Cookies   Bad  Nonce   Session  ID   Malicious  Form   Bad  Nonce   [email protected]   CSRF  Nonce