Slashdot Mirror
Cross Site Cooking
Liudvikas Bukys writes "Michal Zalewski identifies a new class of attacks on users of web applications, dubbed Cross Site Cooking.
Various browsers' implementations of restrictions on where cookies come from and where they're sent are weaker than you think. Web applications that depend on the browser enforcing much will offer many opportunities for mischief."
Any web developer worth their salt would be able to tell you nothing, and i mean nothing, sent or received over http should be regarded as secure.
Of course cookies can be modified by a proxy. Of course sessions can be hijacked!
Don't you bake cookies?
A basic rule of web design is that information submitted from forms and cookies stored on a client computer should at the very least be validated before processing.
Otherwise, insecure browsers like TFA mentions are only one of your worries. What's to stop someone from modifying a cookie file with a hex editor? What's to stop someone from saving a local copy of your form and modifying it and submitting the modified form to your form processor?
I'm a big tall mofo.
Web applications that depend on the browser enforcing much will offer many opportunities for mischief.
That is true regardless of what the exact nature of the issue is. Never trust user provided input.
Expecting, not just a specific third-party program but, an entire class of programs to maintain your data integrity & overall security is sheer laziness or plain incomptence.
If you still don't get it: The problem is that the browsers are doing it correctly (read: RFC-conformant and logically correct) and the domain controllers who deliberately misuse a real domain as something-like-TLD are the ones to blame.
Wasn't this demonstrated when some guy managed to steal a bunch of passwords stored in cookies. It would grab the cookie when they visited his site and he would look through them and access accounts accordingly. I think this happened on a social netowrking site (myspace?)
Now, when the user visits evil.org it requests that a cookie called slashdot_cred be set for the site ".org." It has 2 dots in it, so it's set as a valid cookie and then next time you hit /. you'll hand over some alternate credential from evil.org.
Opportunities for exploiting this seem very limited. The only one i can think of are store affiliate programs. I know that if you visit a link that i give you for shutterstock then they'll set a cookie with my id so that i'll get the referral credit if you sign up within 30 days.
I'm not sure what goes into that cookie, but i might be able to make my own .com fake it and get credit for any signups that happen.
Of the three points, the middle (trailing dots on domain names) is the only one I hadn't considered already, as I thought browsers were smart enough to avoid it. Is there a list of browsers actually affected by it somewhere?
FTFA: One can set a cookie for ".com.", then bounce the visitor to http://www.victim.com./ .
I'm thinking plugins like the one I mentioned would help a user from getting screwed like this. I'd be curious as to other methods.
I love Opera.
I've got Opera set to warn me about cookies with "incorrect paths", I've been getting alot of warnings about cookies lately. (which I obviously refuse when they come up)
Should have known somthing like this was going on with all the questions about cookies & paths on Webmaster Forums awhile ago ya think ?...
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Well I can't say this was unexpected, nevertheless, it's pretty nasty considering that cookie trust is the standard way of keeping someone logged in. I suppose you could implement IP checking as an additional security measure, forcing wireless users to constantly re-login, but it would provide significant security improvements.
What it really goes to show is that web applications should always require a password to be entered for any 'sensitive' transactions. The definition of 'sensitive' is left as an exercise to the web developer.
I forgot /. scripts will automtically put a link in if you have "http://blah-blah.com" in your post.
As a DNS administrator, the trailing dot is something I was very aware of (although I didn't know about the cookie implementation errors). I've always wondered why you never saw URLs such as http://www.example.com./, instead of http://www.example.com/ ? The later (without the dot) is subject to local DNS spoofing.
However, aside from the browser problems, it seems that web servers also mess up the trailing dot problem. Most servers won't recognize their own hostnames when the Host header has a trailing dot. Proxies are also clueless and confused.
In fact, I was always surprised that the HTTP and URL standards (not to even mention the horrid X.509 certificate standards) seem so careless about the canonical domain name representation. There's no requirement, nor even a warning, about any use of the trailing dot in domain names, nor that any software (server, proxy, or agent) should do any sort of canonical name equivalence checking.
ought to focus on beefing up existing features rather than adding new cross domain holes
How about this - some sites could implement IP validation, _IF_ you allow them too.
If I'm a paranoid, tinfoil-hat slashdot type, i could check on the "perform IP validation for a greater security" option.
Or at least I hope it is. Devs definitely need to set up server-side security for this reason. You can't get them all, especially if they REALLY want in, but you can at least do your best on the client side.
:o
Of course, everyone knows that if you just comment it out, it disappears.
Less Talk. More Stab.
after all, using cookies is MUCH better than storing the sID in the query string :-S
Of course, i'm all for IP validation.
About two years ago I came up with a mechanism to base session cookies off of a series of md5 hashes along with the user-agent, screen resolution, and the Class B subnet mask and wrote up a document on how it could be done. Lo and behold I find that Google must have also independently figured out a way to do this as well. They implemented something like this into their gmail cookies, making XSS attacks damn near useless unless you're a good guesser or you know what you're doing when you do the cookie stealing and actually include javascript variables and record EVERYTHING you possibly can.
Use Session.Abandon before any logon attempt to prevent the type of session hijacks mentioned in TFA.
Opera is the one browser that was apparently not researched, as the issues do not show there (#2) or are less severe (in case of issue #1). People sometimes complain that Opera throws a warning for (or refuses) a cookie that the other browsers happily accept. This is no error, just Opera better at following the specs like RFC 2965...
If you don't like having choices made for you, you should start making your own. - Neal Stephenson
I wrote about this a while back, warning community sites about it. That was before the MySpace chaos. Formkeys help as a basic precaution, although they may also be read and passed on by ajax techniques.
If I'm reading this correctly, it's not that bad for most websites these days. There are two exploits that I see are possible from this.
1) Pushing a hacked cookie to the client that then is transmitted to a legitimate site
2) Stealing data contained in a cookie
In the first case, this seems like an exploit of limited value. Great I can make you send the wrong data to a site, but what exactly would be the construction of this wrong data such that it would cause mischief. I can make you log into your bank as me... great... so you can log take all my money? I mean there may be some strange setup that this can be used to exploit but I should think it's a rarity.
The second case is a more disconcerting concept, but I think this is a matter of common sense security. Most sites these days use a unique user identifier in cookies and don't store real data on the client. So the cookie doesn't provide a direct way to steal the information about that user. It does permit the ability to impersonate a user, which could be nasty, but most sites that have some sort of security consideration (i.e. banks, etc) require users to authenticate each time they access the site whether they have a cookie or not.
Having said that, my impression is that neither of these is all that easy to pull off in the real world. For #1, you have to visit a corrupted site, get the corrupted cookie, then go to a site that is vulnerable to the particulars of that corrupted cookie. So when you create the page you kinda have to know what the target is and the user may never go to that target. You might pick a high profile site to increase your odds, but the higher profile, the greater the likelyhood that they'll apply some level of paranoia to such things (on average).
For #2, you not only have to get them to hit your corrupt site, and hit a valid site, then you have to have them hit your corrupt site again. Then, for this to be of value, the valid site has to engage in realtively risky behavior with the cookies. So, once again, you'll get the most bang for the buck on higher profile sites which will be more likely to double check what you're doing.
So in the grand scheme this could be bad, but isn't terribly practical from what I can gather.
This sig has been temporarily disconnected or is no longer in service
with MSN network, we (large corp) banned all of their MSN domains as this is a security risk and as its intentionally deceptive on their part we had to classify it as malicious due to the intent
here (with analysis)
news report here
of course MS still use it and the surfers still have no idea its occuring, though if you block their servers you soon find out how many times they try.
never mind trusting the user, its the server and the company that does it that people cant trust
The exploit "Problem #3" won't work if the "victim" is already on virtual host. In this case, the web server would not recognize that it is hosting a site for evil.example.com and show the default site (if one is configured), not the desired site. For those who did not pay a premium to get a dedicated IP web hosting, this is a non-issue.
/robots.txt (/cookies.txt) to indicate that the host "example.com" accepts cookies set by certain hosts.
In general, I think cookies should only be allowed if the domain suffix of the cookie matches the host name---so www.example.com can set cookies for www.example.com and *.www.example.com, but not uwww.example.com, *.example.com, nor *.com. If you really want to let www.example.com set cookies for *.example.com, you should run a web server on example.com and put a trampoline script there to set the cookies for you. Or you could rename additional web servers *.www.example.com so they can all access the cookies set by www.example.com.
(I mean, really, those additional web servers are part of the world wide web of that domain, so they should all fall under the www domain.)
If this is still too restrictive, I think it is also viable to use, for example, additional DNS records or something like
Users will have an incentive to use those user agents that honor additional cookie restrictions because it provides some guard against cross site scripting (cooking).
I once had a signature.
I believe I have found a really wicked attack that could utilize this method to implement a serious DDoS effect. Lets consider issue #1, where I can create cookies in .org.
/. effect having serious financial impact on Slashdots bandwidth costs.
When a user visits my site, I set 20 cookies for slashdot.org. that are 4KB in size each (maximum number for a domain, and maximum allowed size per cookie). I also set the expiration for some time far into the future. I only have to send this data to each visitor 1 time.
As a result, everytime the user goes to slashdot, he transmits 20*4KB (80KB) of data at slashdot. Not a big deal right? But what if my site is slashdot'd, and a million faithful readers visit my evil website and get this bogus cookie data. Now slashdot will be flooded with 80KB from 1,000,000 users every single time they click on any slashdot page (potentially for years). Yikes! Slashdot becomes victim of covert and malicious
This is a potentially serious amplification attack vector that would be really hard to clean-up.
--
This attack ©The Terrorist Network ( www.terrorist.net )
Only 22% of servers use cookies. The best sites work fine without them.
'cause even if you do, the attacker may still happily use your domain name and it will work just fine. (and don't worry, if you don't have any associated with the IP, they will make one for you)
Anagram("United States of America") == "Dine out, taste a Mac, fries"
LiveJournal is already aware of this issue, and trying to do their best to prevent said issues within their system
links contained in this discussion. No I don't wish to see tubgirl of goaste for the millionth time, thank you for your example links but no thanks!!!!
And was interested.
My question to the powers that be here who control cookies is why do so many site expire in 2016 or 2038?
qz
That's when the world ends. Haven't you heard?
For anyone who might be turned on by Michal's geekyness - you should be aware that he's not a girl, unlike what his name might imply.
Slashdot community, please notice: I am looking for a girlfriend.
Nave H. Weiss
SAML implementations (shibboleth, lib aliance etc) for distributed authentication usually include WAYF (where are you from) servers that direct a user to their home site for authentication purposes.
It's often the case that a WAYF implementation will utilise a cookie in order to "remember" the user's home site, permitting either the selection of an appropriate default or the automatic redirection to the user's local SSO origin.
The replacement of that cookie would mean the user doesn't wind up going to their usual origin to authenticate, potentially permitting credential capture.
WAYF implementatinos may mitigate against this by sanity-checking the cookie (only redirecting to members of a federation, for instance) - however, this is an example of how a fairly obscure bug might have wide-reaching consequences.
Happy reunion...
You missed my point. It was that if your site relies on a secure browser (as the article stated) or data that is stored client side (cookies), you have many worries, not just the one outlined in the article.
I'm a big tall mofo.
This kind of relates to a problem we're having.
How to get around sites that require session IDs just to link to them?
A ton of sites anymore require you to go to a main page to get some idiotic session ID just to get into the site.
Anyone have a way of using the stuff from this article or other methods to link to them?
I haven't been able to even wrap it in frames and make it iterate through or anything.
I'm under NDA, so pardon me while I dance a little... a certain large company with whom I have done business in the past, and which maintains a large stable of popular sites, once sent us their cookie documentation. As a partner site, we were required to play ball with this document, and I can only describe it as vile. It was a manual akin to the anarchist's cookbook, but for subverting the trust of our users. The information coming out about cookies is not "theoretical", it is practical and widely used by the largest sites.
If you don't believe me, turn on manual cookie accepting, and start visiting the largest sites on the net. Accept all cookies for just the session and see what you get. I assure you that you will see these games played, not by disreputable hackers, but by the companies that many thought they could trust. You will see your personal information (to the extent that company A has it), handed off to company B in ways that HTTP was not supposed to allow for. You will see a great many interesting things.
Laptops. There are many of us who find ourselves working out of hotels, airports, wherever. Having to log in again to multiple sites all the damn time would suck.
Because you know what? The only places where I stay "logged in" are the ones that I don't care about. My bank makes me log in every time I use it - fair enough. But slashdot? Who gives a rat's arse? What's worse, the main people who would implement this would be the very people for whom security should be the least concern, like the vendor message boards which, while useful, think they're being l33t by making you sign in with a 17 byte password as if your chat account was as important as nuclear launch codes.
You're special forces then? That's great! I just love your olympics!
"Right, but hijacking a session should require at least a man-in-the-middle attack."
I'm starting with the man-in-the-middle,
(Man-in-the-middle -Oh yeah!)
I'm asking him to change his ways
(Better change!)
No message could have been any clearer
(If you wanna make the world a better place)
(Take a look at yourself and then make the change)
(You gotta get it right, while you got the time)
('Cause when you close your heart)
You can't close your... your mind!
(Then you close your... mind!)
That man, that man, that man, that man
With that man-in-the-middle
(Man-in-the-middle, oh yeah!)
That man, that man, that man
I'm asking him to change his ways
(Better change!)
Sorry, couldn't help myself. Hee Hee! Aouh! *grab nuts doing V-sign!*
Defining Statistics and Social Research
What about setting a new session cookie every request, and requiring the user to send that one once he accepted it?
--brgr