cookie security
play

Cookie Security Myths and Misconceptions David Johansson OWASP - PowerPoint PPT Presentation

Aug 23, 2022 •284 likes •613 views

Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me David Johansson (@securitybits) Security consultant with 10 years in AppSec Helping clients design and build secure software Develop

  1. Cookie Security Myths and Misconceptions David Johansson – OWASP London 30 Nov. 2017

  2. About Me • David Johansson (@securitybits) – Security consultant with 10 years in AppSec – Helping clients design and build secure software – Develop and deliver security training – Based in London, working for Synopsys

  3. Cookie Security • Why talk about Cookie Security? Cookie security is somewhat broken…

  4. Agenda • Cookie Basics • The ‘Secure’ Attribute • The ‘HttpOnly’ Attribute • The ‘Path’ Attribute • The ‘Domain’ Attribute • Cookie Lifetime • Modern Cookie Protections • Summary

  5. Background COOKIE BASICS

  6. History of HTTP Cookies Cookies are based on an old recipe: • 1994 – Netscape draft • 1997 – RFC 2109 • 2000 – RFC 2965 • 2002 – HttpOnly • 2011 – RFC 6265 • 2017 – RFC 6265bis (draft) “Classic Film” (https://www.flickr.com/photos/29069717@N02/)

  7. HTTP Cookies • Cookies are sent in HTTP headers Subsequent client request Server response HTTP/1.1 200 OK GET /index.html HTTP/1.1 … … Set-Cookie: Cookie: id=2bf353246gf3; id=2bf353246gf3; Secure; lang=en HttpOnly Set-Cookie: lang=en; Expires=Wed, 09 Jun 2021 10:18:14 GMT • Attributes influence how cookies are managed by the client (e.g., browser)

  8. Keeping Cookies Secure from Network-level Attackers THE ‘SECURE’ ATTRIBUTE

  9. The ‘Secure’ Attribute “Cookies marked with the ‘Secure’ attribute are only sent over encrypted HTTPS connections and are therefore safe from man- in-the- middle attacks.” – True or false?

  10. The ‘Secure’ Attribute • The ‘Secure’ attribute only protects the confidentiality of a cookie against MiTM attackers – there is no integrity protection!* – Mallory can’t read ‘secure’ cookies – Mallory can still write/change ‘secure’ cookies

  11. Keeping JavaScript’s Hands Away from the Cookie Jar THE ‘HTTPONLY’ ATTRIBUTE

  12. The ‘HttpOnly’ Attribute “Cookies marked with the ‘HttpOnly’ attribute are not accessible from JavaScript and therefore unaffected by cross- site scripting (XSS) attacks.” – True or false?

  13. The ‘HttpOnly’ Attribute • Only confidentiality protected in practice • HttpOnly-cookies can be replaced by overflowing the cookie jar from JavaScript Picture by Greg Putrich (flickr.com)

  14. Overwriting a Cookie Marked as ‘HttpOnly’ from JavaScript DEMO

  15. Isolating Cookies to Specific Paths THE ‘PATH’ ATTRIBUTE

  16. The ‘Path’ Attribute “The ‘Path’ attribute limits the scope of a cookie to a specific path on the server and can therefore be used to prevent unauthorized access to it from other applications on the same host.” – True or false?

  17. The ‘Path’ Attribute • Cookie Scope vs. Same-origin Policy Cookie Scope Same-origin Policy Port & Path Host/domain Protocol

  18. The ‘Path’ Attribute • Two different applications on shared host: – https://example.com/App1/ – https://example.com/App2/ Not isolated in /App1 terms of SOP! Isolated in terms https example of cookie scope (443) .com /App2

  19. Only Send Cookie to Intended Host(s) THE ‘DOMAIN’ ATTRIBUTE

  20. The ‘Domain’ Attribute “The ‘Domain’ attribute should be set to the origin host to limit the scope to that particular server. For example if the application resides on server app.mysite.com, then it should be set to domain=app.mysite.com” – True or false?

  21. The ‘Domain’ Attribute • With domain set, cookies will be sent to that domain and all its subdomains • The risk with subdomains is lower than when scoped to parent domain, but still relevant • Remove domain attribute to limit cookie to origin host only – Important note: IE will always send to subdomains regardless

  22. Limiting Exposure of Cookies COOKIE LIFETIME

  23. Cookie Lifetime “A session cookie , also known as an in-memory cookie or transient cookie , exists only in temporary memory while the user navigates the website.” (Wikipedia) – True or false?

  24. Cookie Lifetime • It’s up to the browser to decide when the session ends • ‘Non - persistent’ session cookies may actually be persisted to survive browser restart https://developer.mozilla.org/en-US/docs/Web/API/document/cookie

  25. RFC6265bis: Making Improvements to the Cookie Recipe MODERN COOKIE PROTECTIONS

  26. Strict Secure Cookies • Makes ‘secure’ cookies a little more secure by adding integrity protection • Prevents plain-text HTTP responses from setting or overwriting ‘secure’ cookies • Attackers still have a window of opportunity to “pre - empt” secure cookies with their own

  27. Cookie Prefixes • Problem: – Server only sees cookie name and value in HTTP request, no information about its attributes – Impossible for server to know if a cookie it receives was set securely • Solution: – ‘Smuggle’ information to server in cookie name – "__Secure-" prefix – "__Host-" prefix

  28. The ‘SameSite’ Attribute • Problem: – Cookies are sent with all requests to a server, regardless of request origin – Attackers can abuse this by initiating authenticated cross-origin requests, e.g., CSRF, XSSI, etc. • Solution: – New cookie attribute SameSite=[Strict|Lax] – Prevents cookies from being attached to cross-origin requests

  29. SUMMARY

  30. Summary • Key Takeaways: – Cookies are still largely based on a draft from 1994 – The security model has many weaknesses – Don’t build your application on false assumptions about cookie security – Application and framework developers should take advantage of new improvements to cookie security – Beware that not all browsers are using the same cookie recipe (yet)

  31. The ‘Ultimate’ Cookie • Is there an ‘ultimate’ cookie configuration? • This is probably the most secure configuration we have for now: Set-Cookie: __Host- SessionID=3h93…; Path=/;Secure;HttpOnly;SameSite=Strict

  32. The End Questions? @securitybits

Recommend

Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f;

Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f;

Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f; Expires=Wed, 09 Jun 2012 10:18:14 GMT Name Value Expiration Time Browser returns cookies in headers of later requests: Cookie: session=0x4137fd6a CS

701 views • 4 slides
Third to Fifth Grade Interpreting Student Work Task: Cookie Dough Chocolate Chip Cookie Dough

Third to Fifth Grade Interpreting Student Work Task: Cookie Dough Chocolate Chip Cookie Dough

Third to Fifth Grade Interpreting Student Work Task: Cookie Dough Chocolate Chip Cookie Dough Grade Level: 3 $5 a tub Subject: Math Peanut Butter Source: NYC Clear Creek School is fundraising. They Cookie Dough Department of $4 a tub

104 views • 6 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
COOKIE LEADERSHIP INSTITUTE LITTLE BROWNIE BAKERS What does it take to create a new ?

COOKIE LEADERSHIP INSTITUTE LITTLE BROWNIE BAKERS What does it take to create a new ?

COOKIE LEADERSHIP INSTITUTE LITTLE BROWNIE BAKERS What does it take to create a new ? Girl Scout Cookie? COOKIE LEADERSHIP INSTITUTE LITTLE BROWNIE BAKERS Theres a science that goes into every cookie food and nutrition

160 views • 12 slides
Third to Fifth Grade Planning Instruction to Support Students Chocolate Chip Task: Cookie Dough

Third to Fifth Grade Planning Instruction to Support Students Chocolate Chip Task: Cookie Dough

Third to Fifth Grade Planning Instruction to Support Students Chocolate Chip Task: Cookie Dough Cookie Dough Grade Level: 3 $5 a tub Subject: Math Peanut Butter Source: NYC Clear Creek School is fundraising. They Cookie Dough Department

527 views • 8 slides
Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I:

Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I:

Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I: Introduction to Programming Local variables, scopes, and complexity Autumn 2019 October 31, 2019 Example Cookie Calculator Cookie Calculator

685 views • 13 slides
Team Training Welcome to the 2019 Cookie Program Service Unit Product Program Team Get to

Team Training Welcome to the 2019 Cookie Program Service Unit Product Program Team Get to

Troop Cookie Team Training Welcome to the 2019 Cookie Program Service Unit Product Program Team Get to know your Service Unit Cookie Team! They are your mentors though the season and are a wealth of information. They can help

914 views • 75 slides
Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide

Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide

Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide state Examples: Items in shopping cart AuthenFcaFon! Cookies Passwords! Username + Password = Cookie If I know your authenFcaFon

712 views • 7 slides
Cookie Time Overview Business Framework BHAG Our Guiding Principles Our Values The Cookie Time

Cookie Time Overview Business Framework BHAG Our Guiding Principles Our Values The Cookie Time

Cookie Time Overview Business Framework BHAG Our Guiding Principles Our Values The Cookie Time Way Team Purpose / Rules Team Purpose Rule 1 Rule 2 Rule 3 The Board Making Big

343 views • 18 slides
Validation of HTTP cookie domains Yngve N. Pettersen Opera Software ASA draft

Validation of HTTP cookie domains Yngve N. Pettersen Opera Software ASA draft

Validation of HTTP cookie domains Yngve N. Pettersen Opera Software ASA draft -pettersen-dns-cookie-validate-00.txt draft -pettersen-subtld-structure-00.txt HTTP Cookies HTTP Cookies are named values sent to the client by the server, which the

424 views • 9 slides
Access or re-use of PSI? A cookie if you get it right! Katleen Janssen ICRI K.U.Leuven

Access or re-use of PSI? A cookie if you get it right! Katleen Janssen ICRI K.U.Leuven

Access or re-use of PSI? A cookie if you get it right! Katleen Janssen ICRI K.U.Leuven IBBT Joep Crompvoets Public Management Institute, K.U.Leuven Back in the day... Freedom of information Sweden 1766, UN Assembly 1946, USA

476 views • 6 slides
C -> S: GET http://www.example.com/ S -> C: page, including a login form C -> S: GET

C -> S: GET http://www.example.com/ S -> C: page, including a login form C -> S: GET

C -> S: GET http://www.example.com/ S -> C: page, including a login form C -> S: GET http://www.example.com/login? u=USER&p=PASSWD [server marks this session as authenticated] S -> C: Set-Cookie: sessionid= NONCE (Cookie is an

686 views • 19 slides
COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your

COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your

CS 498RK SPRING 2020 COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your computer so that a site can remember you and what you did on subsequent visits Bro w se r Serve r first request

340 views • 23 slides
Please choose a fortune cookie Open and read the question to your table Have everyone

Please choose a fortune cookie Open and read the question to your table Have everyone

Please choose a fortune cookie Open and read the question to your table Have everyone at your table answer the question 1: 1:00 00 -2: 2:15 am 15 am Prep epar aring for S Succe ccessful M Meet eetings* Atriu trium B

932 views • 61 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Direct defense b. Stack Cookie; Canary -

713 views • 26 slides
NETWORK SCIENCE vs WIKILEAKS etc. Lovro Subelj Cookie seminar at FRI 19.3.2015

NETWORK SCIENCE vs WIKILEAKS etc. Lovro Subelj Cookie seminar at FRI 19.3.2015

NETWORK SCIENCE vs WIKILEAKS etc. Lovro Subelj Cookie seminar at FRI 19.3.2015 ACKNOWLEDGEMENTS Aleksandar Angelina Peter Marko Slavko Marinka Julian KARATE CLUB NETWORK 17 16 23 15 6 31 19 7 11 9 21 33 5 14 34 10 30

872 views • 15 slides
File I/O No class on Friday, November 26 CS Cookie Party!!! Friday, December 10 4:30 -

File I/O No class on Friday, November 26 CS Cookie Party!!! Friday, December 10 4:30 -

Reminders... Assignment #9 is special... No lab on Wednesday, November 24 File I/O No class on Friday, November 26 CS Cookie Party!!! Friday, December 10 4:30 - 7:30pm, Lake House Kitchen T- 1 T- 2 Election 2008 Writing a

321 views • 4 slides
Cookie Rally Planning: Beginning to End Brainstorm and plan activities Set date, time &

Cookie Rally Planning: Beginning to End Brainstorm and plan activities Set date, time &

Cookie Rally Planning: Beginning to End Brainstorm and plan activities Set date, time & location Set a budget & create a fee Setup up registration Line up volunteers Promote Set agenda and request supplies Host event Thank

213 views • 18 slides
Improve Cookie- based Session with Decorator Pattern @ ConFoo Montreal 2018-03-08 by Jian

Improve Cookie- based Session with Decorator Pattern @ ConFoo Montreal 2018-03-08 by Jian

Improve Cookie- based Session with Decorator Pattern @ ConFoo Montreal 2018-03-08 by Jian Weihang Improve Cookie-based Session with Decorator Pattern 1 Bonjour! Improve Cookie-based Session with Decorator Pattern 2 Jian Weihang

1.06k views • 91 slides
Digital Cookie 2018-2019 Parent Training Welcome Setting up your site Learning

Digital Cookie 2018-2019 Parent Training Welcome Setting up your site Learning

rent Digital Cookie 2018-2019 Parent Training Welcome Setting up your site Learning Customer View Mobile App 2 4 Easy Steps 3 Sender: Girl Scout Cookies Step 1-Register <email@email.girlscouts.org> Subject:

753 views • 36 slides
Web security II With material from Dave Levin, Mike Hicks, Lujo Bauer, Collin Jackson Previously

Web security II With material from Dave Levin, Mike Hicks, Lujo Bauer, Collin Jackson Previously

Web security II With material from Dave Levin, Mike Hicks, Lujo Bauer, Collin Jackson Previously Web basics SQL injection Today Stateful web Cookie hijacking Session fixation CSRF Dynamic web and XSS Adding state to

1k views • 69 slides
and Interaction-based Third-party Cookie Policy Istemi Ekin Akkus 1 , Nicholas Weaver 2 1 Max

and Interaction-based Third-party Cookie Policy Istemi Ekin Akkus 1 , Nicholas Weaver 2 1 Max

The Case for a General and Interaction-based Third-party Cookie Policy Istemi Ekin Akkus 1 , Nicholas Weaver 2 1 Max Planck Institute for Software Systems (MPI-SWS) 2 ICSI & UC Berkeley Sample Web Page Content Optimized with Ad web

855 views • 28 slides
Navigating the 2%: Separating Your Institution in a Cookie Cutter College Environment Jeremy

Navigating the 2%: Separating Your Institution in a Cookie Cutter College Environment Jeremy

Navigating the 2%: Separating Your Institution in a Cookie Cutter College Environment Jeremy Bogan Mary Randers Vice President and Dean of Admission Director of Admission jbogan@willamette.edu mranders@Willamette.edu Objectives Discuss

358 views • 16 slides
Semi-Secure Semi-Secure where a hash is a secure one-way function. A cookie is a bit of state

Semi-Secure Semi-Secure where a hash is a secure one-way function. A cookie is a bit of state

One-Slide Summary Users often authenticate themselves by providing passwords. We store and compare hashes of passwords, Semi-Secure Semi-Secure where a hash is a secure one-way function. A cookie is a bit of state associated with a webpage

103 views • 9 slides

More recommend