Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Simon Foley,
Department of Computer Science,
University College Cork
s.foley@cs.ucc.ie
November 7, 2011
c
Simon
Foley
1 / 44
Cookies
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
All HTTP requests are treated as independent events, even when they
come from the same client.
Cookies provide a mechanism whereby a web-server can manage a stateful
relationship with a browser by storing the related state in the client browser
and not on the server.
The server assigns some state to a cookie, which it includes in the
HTTP response.
The browser stores the cookie in its browser.
The browser includes any cookie(s) it may hold for a web-site when
c
Simon
Foley
2 / 44
Cookie Example
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
A PHP script that is used to count the number of times a particular user
(browser) has loaded the script/web-page.
<?php
if (!isset($_COOKIE[views]))
{
setcookie(views,0,0,"/");
$views=1;
}else{
$views=$_COOKIE[views]+1;
}
setcookie(views,$views,0,"/");
echo "I have now seen you = ". $views . " times";
?>
c
Simon
Foley
3 / 44
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2010 14:45:02 GMT
Server: Apache
X-Powered-By: PHP/5.3.2
Set-Cookie: views=1; path=/
Content-Length: 29
Content-Type: text/html
c
Simon
Foley
4 / 44
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2010 14:45:42 GMT
Server: Apache
X-Powered-By: PHP/5.3.2
Set-Cookie: views=2; path=/
Content-Length: 29
Content-Type: text/html
c
Simon
Foley
5 / 44
PHP setcookie
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
c
Simon
Foley
6 / 44
Results in a response
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2010 15:06:56 GMT
Server: Apache
X-Powered-By: PHP/5.3.2
Set-Cookie: views=14; expires=Fri, 29-Oct-2010 16:06:56 GMT; path=/
Set-Cookie: user=homer; path=/
Content-Length: 30
Content-Type: text/html
c
Simon
Foley
7 / 44
Secure Cookies
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
c
Simon
Foley
8 / 44
Cookie Integrity
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
An attacker that controls the connection can also interfere with the values.
HTTPS can be used to secure the connection from this kind of attack.
Once the browser receives the cookie, a malicious client can easily modify
the cookie value (either directly, or via a proxy such as Paros).
The server can use a cryptographic one-way hash function to ensure the
integrity of a cookie value.
Attempted solution: given a cookie with identifier id and value v, then,
given some secret known only to the server, compute a cryptographic
checksum using a suitable one-way hash function h():
ck = h(v, secret)
and include this hash value in the cookie. An attacker cannot forge ck
without knowing the secret.
Before using a cookie presented by the browser the application should
re-compute the checksum and confirm it matches the checksum provided.
c
Simon
Foley
9 / 44
<?php
$secret="my server secret";
$seperator = --;
if (!isset($_COOKIE[views])){
$views=1;
}else{
$cut=explode($seperator, $_COOKIE[views]);
if (md5($cut[0].$secret)==$cut[1]){
$views=$cut[0]+1;
}else{
die(Cookie data corrupted);
}
}
$splice=$views . $seperator . md5($views.$secret);
setcookie(views,$splice,0,"/");
echo "I have now seen you = ". $views . " times";
?>
c
Simon
Foley
10 / 44
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2010 15:41:21 GMT
Server: Apache
X-Powered-By: PHP/5.3.2
Set-Cookie: views=2--c81e728d9d4c2f636f067f89cc14862c; path=/
Content-Length: 29
Content-Type: text/html
c
Simon
Foley
11 / 44
The script only attempts to prevent the cookie variable value v from
corruption: it implements the cookie as [id, v, d, p, h(v, secret)].
A malicious client could take a copy of the cookie [id, v, d, p, h(v, secret)]
and change, for example, the expiry date to d resulting in the valid cookie
[id, v, d , p, h(v, secret)].
A determined and malicious client might have another cookie
[id , v , d , p , h(v , secret)] from the same server for a different variable id .
If the same secret was used to compute the checksum of this cookie then
the attacker can cut-and-paste variable values to give, for example, the
valid cookie [id, v , d, p, h(v, secret)].
We need to secure all the values in the cookie from modification.
c
Simon
Foley
12 / 44
c
Simon
Foley
13 / 44
<?php
$secret="my server secret";
$id=views;
$expiry=0;
$path="\";
$separator = --;
if (!isset($_COOKIE[$id])){
$views=1;
}else{
$cut=explode($seperator, $_COOKIE[$id]);
$views=$cut[0];
$values=$views.$id.$expiry.$path.$secret;
if (md5($values)==$cut[1]){
$views=$views+1;
}else{
die(Cookie data corrupted);
}
}
$splice=$views.$id.$expiry.$path. $secret . $seperator . md5($views);
setcookie(views,$splice,0,"/");
echo "I have now seen you = ". $views . " times";
?>
c
Simon
Foley
14 / 44
No perfect cookie
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
A determined and malicious client can still replay old cookies with this
recipe. For example, when visiting for the fifth time, the client keeps a copy
of the cookie. At some later date when the client visits for the tenth time
the client can easily replay the old fifth cookie.
The server could include a sequence number in the hashed cookie and then
keep track of the last sequence number issued to each client. However, this
requires state at the server side which defeats the purpose of the cookie.
If we are concerned about replay of cookie state then the server should
manage the state and use, for example, a PHP session to relate the state to
the visiting client (well see this shortly).
c
Simon
Foley
15 / 44
Authentication Cookies
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
When a user logs in (eg authenticated using the login.php code described
earlier in notes) then an authentication cookie is set in the browser by the
login program for the website and path.
user website
website user
AuthCookie
Before responding, the website must check that the authentication cookie is
valid for the given request.
While the underlying mechanics is not unlike Basic HTTP authentication,
the advantage to using authentication cookies is that we can associate other
attributes with the cookie, such as expiry dates, access constraints, etc.
c
Simon
Foley
16 / 44
c
Simon
Foley
17 / 44
When a user logs into the website (providing userid and password) an
authentication cookie is given to them which contains their userid and
sequence number as plaintext (roughly speaking, it was actually encoded
using GET attributes).
On a subsequent visit, the presented cookie is validated by the server which
checks that the sequence number is valid for the given user.
However, the scheme used predictable sequence numbers: when a user logs
in, the sequence number is simply incremented! This meant that an
attacker had a good chance of guessing/predicting other users sequence
numbers (at the time, fatbrain.com had about 1 user-login per second).
Userids, passwords and sequence numbers where also sent over HTTP
which meant that they were vulnerable to an eavesdropping attack.
For more information see:
http://cookies.lcs.mit.edu/seq sessionid.html
c
Simon
Foley
18 / 44
When viewing a Web page, images or other objects may set cookies in the
visitors browser.
A cookie may include information about a visitor that is known by they
website that created it: the visitors IP address, browsing activity, account
information, etc.
This information may be used to help tailor advertisements to visitors. Sites
may share this information and result in a loss of privacy of the visitor.
First-party cookies are cookies that are set by the same domain that is in
your browsers address bar.
Remember that a site cannot issue a cookie related to a different domain.
Thus, first party cookies can be used to track visitor actions within the
domain/website.
c
Simon
Foley
19 / 44
c
Simon
Foley
Third-party cookies are cookies that are set by one of objects, images, etc
within the web page but coming from a different domain (to that of the
web-page).
User visits foobar.com/index.html,
domain thirdParty.com.
Third party cookies can be used to track visitor actions across multiple
domains/websites.
Most browsers permit third-party cookies by default, but can be configured
to block third-party cookies.
c
Simon
Foley
21 / 44
22 / 44
23 / 44
Big Business
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
c
Simon
Foley
24 / 44
Certain cookie types (session cookies and those strictly necessary for
specific service explicitly requested by the subscriber or user) appear to be
exempt from the requirements.
Website users are typically notified about cookies by means of privacy
statements and online terms and conditions (where applicable).
A revised version of the directive may (2011) require more explicit
notification/agreement for the user.
c
Simon
Foley
25 / 44
c
Simon
Foley
c
Simon
Foley
c
Simon
Foley
PHP Sessions
Cookies
setcookie
Secure Cookies
Cookie Integrity
Recipe
Authentication
Privacy
3P Cookie
Session Hijacking
Session Fixation
Conclusion
c
Simon
Foley
28 / 44
c
Simon
Foley
29 / 44
Recall our dictum that whenever possible we should avoid storing secrets.
Suppose that we stored the users password in the session
$_SESSION[password]= $userpassword;
One might argue that the secret is safe as it is stored on the server and not
communicated to the client.
However, while the website developer may have been careful to properly
protect the user passwords in the mysql database he/she may have
overlooked the fact that other applications on the server might have access
to that part of the file system that contains the session data.
We should therefore, wherever possible, secure the session variable values.
For example,
$_SESSION[password]= sha1($userpassword);
c
Simon
Foley
30 / 44
c
Simon
Foley
31 / 44
id (cookie) sessA .
Suppose that malicious Mike knows that Alice recently connected to
the website.
Malicious Mike connects/authenticates to Bobs website and receives
with the value as cookie and will fairly quickly end up making an
HTTP request to Bob that appears to come from an authenticated
Alice.
c
Simon
Foley
32 / 44
session id is 211c021d04984ccfd81bee2c12e407847652.
Assuming Mike knows that Alice visited recently, then Bob can brute
force Alices session id by testing session ids for recent times along
with all possible 4-digit random values.
Mike might have collected his past session identifiers and recognized
patterns that indicate how session identifiers are generated.
c
Simon
Foley
33 / 44
c
Simon
Foley
c
Simon
Foley
35 / 44
c
Simon
Foley
36 / 44
The standard support for session ids in PHP computes the session id as a
one-way hash of a combination of the IP address of the visitor, a
time-stamp and the result from a random number generator.
From php.ini:
...
session.entropy_length = 16
session.entropy_file = /dev/urandom
session.hash_function = 1
c
Simon
Foley
37 / 44
c
Simon
Foley
c
Simon
Foley
39 / 44
and its possible that the session was created before the visitor
authenticated himself/herself.
Usual strategy is:
The very first HTTP response carries the session id to the user (and
c
Simon
Foley
40 / 44
Session fixation attack: attacker tricks the victim into using a session id
that the attacker already knows.
1. The attacker is given a valid session id from a server. For example, as
redirect http://foobar.com?PHPSESSID=1234 (set in the URL).
2. The attacker tricks the victim to use this session id for his
communication with the server. For example, the victim follows the
link http://foobar.com?PHPSESSID=1234 as a result of a CSRF.
3. In this session, victim sends his credentials to the server. For example,
victim logs in and $ SESSION[userid] is set to their name.
4. From now on, the session is authenticated. As the attacker knows the
session id, he now can access the application under victims identity
A fixation attack can be avoided if the application regenerates the session
id whenever the user authenticates himself/herself and/or when there is a
change of privilege.
c
Simon
Foley
41 / 44
The front page of a website creates a new session for the visitor with an
empty shopping cart, if not already created.
<?php
session_start();
// ...
if (!isset($_SESSION[cart])){
$_SESSION[cart]=$emptycart;
}
// ...
?>
c
Simon
Foley
42 / 44
When a user logs in then there is a change of privilege associated with the
session id.
Whenever there is a change of privilege associated with a session id then
the application should generate a new session id for the session. That way,
any other user (attacker) that happens to know the session id prior to the
change of privilege cannot know this new session id.
PHP function session regenerate id() performs this task.
The login.php can be revised as:
<?php
session_start();
// .... if user is authenticated then set session variable
session_regenerate_id();
$_SESSION[userid]= $userid;
// otherwise leave session variable unset
c
Simon
Foley
43 / 44
c
Simon
Foley
44 / 44