Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross Site Cooking

Posted by Hemos on from the boning-up-on-the-bad-stuff dept.

Liudvikas Bukys writes "Michal Zalewski identifies a new class of attacks on users of web applications, dubbed Cross Site Cooking. Various browsers' implementations of restrictions on where cookies come from and where they're sent are weaker than you think. Web applications that depend on the browser enforcing much will offer many opportunities for mischief."

34 of 125 comments (clear)

  1. Web developers by mhanoh · · Score: 5, Insightful

    Any web developer worth their salt would be able to tell you nothing, and i mean nothing, sent or received over http should be regarded as secure.

    Of course cookies can be modified by a proxy. Of course sessions can be hijacked!

    1. Re:Web developers by dmeranda · · Score: 5, Interesting

      Unless of course you encrypt, or at least digitally sign all cookies you legitimately send.

      The fact that none of the cookie meta-data is ever sent to the server along with the cookie body is one of the biggest pains. Aside from the domain restriction that the article talks about, another big one is the expiration date. This is important if the server *wants* cookies to expire, such as if used for authentication.

      Thus a safe server will encode the cookie expiration date directly into the cookie value (as well as the cookie metadata), and then sign (or HMAC) the cookie value. And there's also the previously mentioned Ajax cookie stealing attacks to guard against, which usually means disabling the TRACE command or setting the secure cookie property.

    2. Re:Web developers by dasil003 · · Score: 5, Insightful

      Any web developer worth their salt would be able to tell you nothing, and i mean nothing, sent or received over http should be regarded as secure.
       
      Of course cookies can be modified by a proxy. Of course sessions can be hijacked!

      Right, but hijacking a session should require at least a man-in-the-middle attack. Allowing anyone to arbitrarily grab cookies from a visitor is a pretty big gaping hole. Obviously anything requiring serious security needs SSL and/or other cryptographic measures, but for the huge number of casual websites that only need basic authentication this really throws a wrench in the works, unless you want to ask the user for their password every single time they load a page.

    3. Re:Web developers by jacksonj04 · · Score: 5, Informative

      Alternatively, only drop a session tracking ID by cookie then maintain session expiry data on the server. With this it's possible to also do things like hostmask matching, so if the hostmask of the machine sending the session doesn't match one on the database, the password can be asked for again as verification.

      --
      How many people can read hex if only you and dead people can read hex?
    4. Re:Web developers by multipartmixed · · Score: 2, Informative

      I also use cookies for display preferences which might reasonable change from browser-to-browser or host-to-host for the same user.

      Nothing critical, though; worst case scenario, the attacker makes the screen look a little funny. Whoopie.

      --

      Do daemons dream of electric sleep()?
    5. Re:Web developers by ArsenneLupin · · Score: 2, Insightful
      Any web developer worth their salt would be able to tell you nothing, and i mean nothing, sent or received over http should be regarded as secure.

      Oh, the old "the only secure machine is a machine that is switched off, thus security is a lost battle anyways, so we should not waste any precious time implementing security" canard.

      Yes, statistically, all non-trivial protocols will indeed have (unknown) security holes, but that should not be an excuse to leave known security holes unpatched when they come to our attention.

      We're all 100% sure that we'll die one day anyways, but nobody in their right mind uses that as an excuse to disregard safety procedures when operating heavy machinery ;-)

      Of course cookies can be modified by a proxy.

      ... and so we should keep them modifiable by any random web site too? How about fixing one problem at a time, rather than saying "there's no point in making our banking service secure, because our customers might just get mugged in the street and lose their money anyways...".

      Of course sessions can be hijacked!

      You're probably right. Even after fixing the known bugs allowing session hijackings, there will still be unknown ways of doing this. But we have to start somewhere. A new method of hijacking has been shown, and suggestions to address the issue have been proposed (be more picky about Host header verification, etc.). Why not heed these suggestions, and at least plug this particular hole (even if, true enough, there are potentially zillions of other holes left...)

  2. No site should trust client-side information. by bigtallmofo · · Score: 5, Insightful

    A basic rule of web design is that information submitted from forms and cookies stored on a client computer should at the very least be validated before processing.

    Otherwise, insecure browsers like TFA mentions are only one of your worries. What's to stop someone from modifying a cookie file with a hex editor? What's to stop someone from saving a local copy of your form and modifying it and submitting the modified form to your form processor?

    --
    I'm a big tall mofo.
    1. Re:No site should trust client-side information. by isomeme · · Score: 2, Insightful

      This is why I so appreciate Perl's "taint checking" mode. In this mode, *all* data obtained from external sources -- http payload, env, read from a file -- is considered tainted until it's been the object of a regex pattern match, which turns off the taint bit. Tainted data cannot be used in any action that will have external effects -- writing to output streams, calling system execs, etc.

      It's not perfect, of course, but it's alerted me to potential security problems dozens of times.

      --
      When all you have is a hammer, everything looks like a skull.
    2. Re:No site should trust client-side information. by ArsenneLupin · · Score: 2, Informative
      This is why I so appreciate Perl's "taint checking" mode. In this mode, *all* data obtained from external sources ... is considered tainted

      Except that this only allows you to protect against lack of datavalidation/escaping bugs (SQL injection, etc.), not against this attack.

      The cookie planted by the attacker looks legit at first glance (the attacker may very well have gotten it from your site in the first place, before foisting it on an unsuspecting victim). The problem lies not in the cookie's contents, but on the fact that that content is known by a third party in addition to the victim. No amount of taint-checking will reveal this.

  3. Never trust the input by MyNymWasTaken · · Score: 5, Informative

    Web applications that depend on the browser enforcing much will offer many opportunities for mischief.

    That is true regardless of what the exact nature of the issue is. Never trust user provided input.

    Expecting, not just a specific third-party program but, an entire class of programs to maintain your data integrity & overall security is sheer laziness or plain incomptence.

  4. I think you misunderstand by grahamsz · · Score: 4, Interesting
    Say you give some 64 byte randomly generated credential to the user as the cookie slashdot_cred. You store that in your database against their account, and then when they return that string you "know" that you've reached them. Typically that cookie is scoped to ".slashdot.org" so it can be read on it.slashdot.org and games.slashdot.org.

    Now, when the user visits evil.org it requests that a cookie called slashdot_cred be set for the site ".org." It has 2 dots in it, so it's set as a valid cookie and then next time you hit /. you'll hand over some alternate credential from evil.org.

    Opportunities for exploiting this seem very limited. The only one i can think of are store affiliate programs. I know that if you visit a link that i give you for shutterstock then they'll set a cookie with my id so that i'll get the referral credit if you sign up within 30 days.

    I'm not sure what goes into that cookie, but i might be able to make my own .com fake it and get credit for any signups that happen.

  5. Work arounds.... by IAAP · · Score: 2, Informative
    The Firefox extension: "SpoofStick" can help - I think.

    FTFA: One can set a cookie for ".com.", then bounce the visitor to http://www.victim.com./ .

    I'm thinking plugins like the one I mentioned would help a user from getting screwed like this. I'd be curious as to other methods.

  6. Opera by Joebert · · Score: 3, Interesting

    I love Opera.
    I've got Opera set to warn me about cookies with "incorrect paths", I've been getting alot of warnings about cookies lately. (which I obviously refuse when they come up)

    Should have known somthing like this was going on with all the questions about cookies & paths on Webmaster Forums awhile ago ya think ?...

    --
    Wanna fight ? Bend over, stick your head up your ass, and fight for air.
    1. Re:Opera by CTho9305 · · Score: 2, Interesting

      I love SeaMonkey.

      I've got SeaMonkey set to allow persistent cookies from sites on my whitelist, and session cookies only for other sites.

      --
      My server
    2. Re:Opera by CTho9305 · · Score: 2, Informative

      SeaMonkey (don't download the beta just yet - 1.0 is shipping in a matter of hours!)

      --
      My server
    3. Re:Opera by mrdaveb · · Score: 2, Funny

      Kryten: RFC Directive 2965 'No officer above the rank of mess sergeant is permitted to go into combat with pierced nipples'. Sorry sir, I fail to see the relevance

      --
      Homme petit d'homme petit, s'attend, n'avale
  7. Nasty by dasil003 · · Score: 2, Insightful

    Well I can't say this was unexpected, nevertheless, it's pretty nasty considering that cookie trust is the standard way of keeping someone logged in. I suppose you could implement IP checking as an additional security measure, forcing wireless users to constantly re-login, but it would provide significant security improvements.

    What it really goes to show is that web applications should always require a password to be entered for any 'sensitive' transactions. The definition of 'sensitive' is left as an exercise to the web developer.

    1. Re:Nasty by coolgeek · · Score: 2, Insightful

      IP Checking won't work, unless you want all your AOL-based visitors to keep getting logged out. I think some Cable users too. Basically anyone that has a proxy-cluster between their browser and your site will come from several different IPs as they surf your site.

      --

      cat /dev/null >sig
    2. Re:Nasty by dasil003 · · Score: 2, Funny

      ...unless you want all your AOL-based visitors to keep getting logged out.

      Uhhhhmmmm...

      Nah, it's too easy.

      Seriously, good point, it just underscores the problem.

  8. The canonical DNS name problem by dmeranda · · Score: 5, Interesting

    As a DNS administrator, the trailing dot is something I was very aware of (although I didn't know about the cookie implementation errors). I've always wondered why you never saw URLs such as http://www.example.com./, instead of http://www.example.com/ ? The later (without the dot) is subject to local DNS spoofing.

    However, aside from the browser problems, it seems that web servers also mess up the trailing dot problem. Most servers won't recognize their own hostnames when the Host header has a trailing dot. Proxies are also clueless and confused.

    In fact, I was always surprised that the HTTP and URL standards (not to even mention the horrid X.509 certificate standards) seem so careless about the canonical domain name representation. There's no requirement, nor even a warning, about any use of the trailing dot in domain names, nor that any software (server, proxy, or agent) should do any sort of canonical name equivalence checking.

  9. Good idea! by Spy+der+Mann · · Score: 2, Interesting

    How about this - some sites could implement IP validation, _IF_ you allow them too.

    If I'm a paranoid, tinfoil-hat slashdot type, i could check on the "perform IP validation for a greater security" option.

  10. How Google gets around this... by Sheepdot · · Score: 5, Interesting

    About two years ago I came up with a mechanism to base session cookies off of a series of md5 hashes along with the user-agent, screen resolution, and the Class B subnet mask and wrote up a document on how it could be done. Lo and behold I find that Google must have also independently figured out a way to do this as well. They implemented something like this into their gmail cookies, making XSS attacks damn near useless unless you're a good guesser or you know what you're doing when you do the cookie stealing and actually include javascript variables and record EVERYTHING you possibly can.

    1. Re:How Google gets around this... by ArsenneLupin · · Score: 2, Interesting
      Seriously, what's wrong with generating session cookies randomly that you felt the need to "fix"?

      Cross-site cooking, maybe? ;-)

      If you encode some client identifying info into the cookie, in addition to a random seed, you protect against attackers grabbing a cookie from your site, then foisting that cookie on an unsuspecting victim, and finally coming back to reap the rewards...

      The client info would prevent step 2 (because the server will notice that it never handed out that cookie to the victim, and just give the victim a new brand-new cookie, foiling the attack)

  11. Re:The second one suprises me by Ark42 · · Score: 3, Informative

    Yeah, that one surprised me as well, and he made it seem like modern browsers where still affected, but a simple PHP script:
    <?
        SetCookie("Test","Value",0,"/",".com.");
        print_r($_COOKIE);
    ?>

    Did not work in Firefox or IE6 for me, so those browsers at least, seem safe from this.

    --
    Morphing Software
  12. Opera by Rits · · Score: 2, Informative

    Opera is the one browser that was apparently not researched, as the issues do not show there (#2) or are less severe (in case of issue #1). People sometimes complain that Opera throws a warning for (or refuses) a cookie that the other browsers happily accept. This is no error, just Opera better at following the specs like RFC 2965...

    --
    If you don't like having choices made for you, you should start making your own. - Neal Stephenson
  13. Formkeys by Bemmu · · Score: 2, Informative

    I wrote about this a while back, warning community sites about it. That was before the MySpace chaos. Formkeys help as a basic precaution, although they may also be read and passed on by ajax techniques.

  14. Not THAT nasty by sterno · · Score: 2, Insightful

    If I'm reading this correctly, it's not that bad for most websites these days. There are two exploits that I see are possible from this.

    1) Pushing a hacked cookie to the client that then is transmitted to a legitimate site
    2) Stealing data contained in a cookie

    In the first case, this seems like an exploit of limited value. Great I can make you send the wrong data to a site, but what exactly would be the construction of this wrong data such that it would cause mischief. I can make you log into your bank as me... great... so you can log take all my money? I mean there may be some strange setup that this can be used to exploit but I should think it's a rarity.

    The second case is a more disconcerting concept, but I think this is a matter of common sense security. Most sites these days use a unique user identifier in cookies and don't store real data on the client. So the cookie doesn't provide a direct way to steal the information about that user. It does permit the ability to impersonate a user, which could be nasty, but most sites that have some sort of security consideration (i.e. banks, etc) require users to authenticate each time they access the site whether they have a cookie or not.

    Having said that, my impression is that neither of these is all that easy to pull off in the real world. For #1, you have to visit a corrupted site, get the corrupted cookie, then go to a site that is vulnerable to the particulars of that corrupted cookie. So when you create the page you kinda have to know what the target is and the user may never go to that target. You might pick a high profile site to increase your odds, but the higher profile, the greater the likelyhood that they'll apply some level of paranoia to such things (on average).

    For #2, you not only have to get them to hit your corrupt site, and hit a valid site, then you have to have them hit your corrupt site again. Then, for this to be of value, the valid site has to engage in realtively risky behavior with the cookies. So, once again, you'll get the most bang for the buck on higher profile sites which will be more likely to double check what you're doing.

    So in the grand scheme this could be bad, but isn't terribly practical from what I can gather.

    --
    This sig has been temporarily disconnected or is no longer in service
    1. Re:Not THAT nasty by Metasquares · · Score: 2, Insightful

      There's the possibility of setting up some sort of DDoS attack by modifying cookies sent to a server in order to construct huge queries, but that means there has to be an SQL injection vulnerability on the server as well. Of course, you should validate and escape anything you put into a query from a user, whether it's a POST variable or a cookie.

    2. Re:Not THAT nasty by iabervon · · Score: 3, Insightful

      Maybe I give you a session where your shipping address is my house. You buy some stuff from the site, don't pay much attention, and have it shipped to me. Or I give tons of people shopping carts containing something I sell through Amazon. Some of the people don't pay attention and accidentally include my item in their next purchase. Or I create a session with a site but don't log in, and I give it to them. They use it, find they aren't logged in, log in, and I'm also logged in as them (since I'm using the same session).

  15. Microsoft have been doing this for years by Anonymous Coward · · Score: 3, Informative


    with MSN network, we (large corp) banned all of their MSN domains as this is a security risk and as its intentionally deceptive on their part we had to classify it as malicious due to the intent

    here (with analysis)
    news report here

    of course MS still use it and the surfers still have no idea its occuring, though if you block their servers you soon find out how many times they try.

    never mind trusting the user, its the server and the company that does it that people cant trust

  16. This can be used in DoS attacks... by Alascom · · Score: 3, Interesting

    I believe I have found a really wicked attack that could utilize this method to implement a serious DDoS effect. Lets consider issue #1, where I can create cookies in .org.

    When a user visits my site, I set 20 cookies for slashdot.org. that are 4KB in size each (maximum number for a domain, and maximum allowed size per cookie). I also set the expiration for some time far into the future. I only have to send this data to each visitor 1 time.

    As a result, everytime the user goes to slashdot, he transmits 20*4KB (80KB) of data at slashdot. Not a big deal right? But what if my site is slashdot'd, and a million faithful readers visit my evil website and get this bogus cookie data. Now slashdot will be flooded with 80KB from 1,000,000 users every single time they click on any slashdot page (potentially for years). Yikes! Slashdot becomes victim of covert and malicious /. effect having serious financial impact on Slashdots bandwidth costs.

    This is a potentially serious amplification attack vector that would be really hard to clean-up.

    --
    This attack ©The Terrorist Network ( www.terrorist.net )

  17. LiveJournal by darkain · · Score: 2, Informative

    LiveJournal is already aware of this issue, and trying to do their best to prevent said issues within their system

  18. Re:maybe not as serious as it seems ... by Aeiri · · Score: 2

    As far as this article goes, problems #1 and #2 are bugs in the browser, not errors with web developer's coding, I don't know why it is presented that way. The guy says "sites rely on secure browsers, but they aren't!", the site doesn't rely on the browsers being secure at all, the user does. If the user uses an insecure browser, and his cookies get stolen because of it, the site isn't damaged at all, the user is.

    On top of that, he says he tested these things on MSIE and Firefox. I'm running Firefox 1.5, and it quite definitely DOES NOT work, test it for yourself, even give it a push. Turn off "for the originating site only" under cookies, and try to create a cookie with domain ".org.". It doesn't work. Run this in your address bar (on this page):

    javascript:void(document.cookie="cook1=bobjones; domain=.slashdot.org");

    Now look at your cookies. "slashdot.org" has "cook1" listed with value "bobjones".

    Now open a new tab/window/whatever. Open "http://slashdot.org./". Let's try this "exploit":

    javascript:void(document.cookie="cook2=bobjones; domain=.org.");

    Look at your cookies. No cook2 under ".org", ".org.", not even "slashdot.org". The cookie just isn't set. Try this on just slashdot.org as well and it will do the same thing (or it.slashdot.org, whatever, all the same).

    As far as #3 goes, I'm not quite sure what he thinks the "host" field it used for. If the site he's trying to attack is under a virtual host, which a lot of sites are, it will just discard it because the host doesn't match its table. On top of that, if they don't have a virtual host, all they would have to do is look through the packets being sent and see "Host: evil.example.com" and you're screwed.

    These "attacks" either don't work or will get you busted really easily. Kids, don't try this at home.

  19. Nothing new by ajs · · Score: 2, Interesting

    I'm under NDA, so pardon me while I dance a little... a certain large company with whom I have done business in the past, and which maintains a large stable of popular sites, once sent us their cookie documentation. As a partner site, we were required to play ball with this document, and I can only describe it as vile. It was a manual akin to the anarchist's cookbook, but for subverting the trust of our users. The information coming out about cookies is not "theoretical", it is practical and widely used by the largest sites.

    If you don't believe me, turn on manual cookie accepting, and start visiting the largest sites on the net. Accept all cookies for just the session and see what you get. I assure you that you will see these games played, not by disreputable hackers, but by the companies that many thought they could trust. You will see your personal information (to the extent that company A has it), handed off to company B in ways that HTTP was not supposed to allow for. You will see a great many interesting things.