The Cookie Monster in Your Browsers

Transcript

1. The cookie monster in your browsers @filedescriptor HITCON 2019

2. @filedescriptor • From Hong Kong ! • Pentester for Cure53

   • Love WebApp Sec & Browser Sec • Bug Bounty Hunter (#1 on Twitter's program)

3. Motivation

4. Motivation

5. Motivation

6. History 1966

7. The Dark Age 1994 1997 2000 Netscape's cookie_spec RFC 2109

   RFC 2965 Basic Syntax Mechanism More Attributes Privacy Control Obsoletes RFC 2109 Set-Cookie2 & Cookie2 No browser followed these specs!

8. The Modern Age 2011 2015 2016 2016 RFC 6265 Cookie

   Prefixes (RFC6265bis) Same-site Cookies (RFC6265bis) Strict Secure Cookies (RFC6265bis) Obsoletes RFC 2965 Summarizes reality HttpOnly flag Improves Integrity across subdomains over secure channel Kills CSRF & Co. Prevents secure cookies overwrite from non-secure origin
9. None
10. None

11. HTTP/1.1 200 OK [...] Set-Cookie: sid=123; path=/admin document.cookie = 'lang=en'

    HTTP Response JavaScript API (write)

12. HTTP/1.1 200 OK [...] Set-Cookie: sid=123; path=/admin document.cookie = 'lang=en'

    POST /admin HTTP/1.1 [...] Cookie: sid=123; lang=en HTTP Response JavaScript API (write) Subsequent HTTP Request document.cookie // sid=123; lang=en JavaScript API (read) *Attributes do not appear in requests

13. Set-Cookie: sid=123; path=/admin; Secure Name Value Attribute Flag Attribute Flag

    Expires Max-Age Domain Path SameSite Secure HttpOnly

14. Attribute Flag Expires Max-Age Domain Path SameSite Secure HttpOnly We

    will focus on these attributes in this talk

15. Domain

16. Set-Cookie: foo=bar; domain=.example.com example.com sub.example.com sub.of.sub.example.com Domain to subdomains

17. Set-Cookie: foo=bar; domain=.example.com sub.example.com example.com sub.of.sub.example.com Subdomains to subdomains

18. Set-Cookie: foo=bar; sub.example.com example.com sub.of.sub.example.com Current domain

19. None
20. None
21. None

22. Dot or no Dot? • They have no difference (old

    RFC vs new RFC style) • Both widen the scope of a cookie to all (sub)domains • The correct way to limit the scope is to not have the domain attribute • Some websites add the domain attribute for all cookies • If one of the subdomains is compromised, such cookies will be leaked to unauthorized parties

23. – RFC 6265 (4.1.2.3.) "Some existing user agents treat an

    absent Domain attribute as if the Domain attribute were present and contained the current host name."

24. Still isn’t fixed in IE11 on Windows 7 / 8.1!

25. None

26. Cookie Bomb • Most servers have a length limit on

    request headers • When this limit is exceeded, HTTP 413 or 431 is returned • Limited cookies injection can still result in client-side DoS • Domain & Expire attributes help persist the attack across (sub)domains.
27. None
28. None

29. https://example.com/aaa…aaa https://twitter.com/#a https://example.com/aaa…aaa https://twitter.com/#b https://example.com/aaa…aaa https://twitter.com/#c GET / HTTP/1.1 [...]

    Cookie: ev_redir_a=aaa...aaa; ev_redir_b=aaa...aaa; ev_redir_c=aaa...aaa } 8kB+
30. None

31. Shared domains're vulnerable by design e.g. github.io

32. Public Suffix List • Community curated • Some domains cannot

    have cookies • The same list that restricts domain=.com.tw
33. None
34. None

35. XSS+OAuth • Say you have a boring XSS • And

    the site is using OAuth • Sounds like you can use the XSS to takeover accounts?

36. Expectation https://google.com/oauth?client_id=example HTTP/1.1 302 Found Location: https://example.com/oauth/callback?code=123 Set-Cookie: sid=123 HTTP/1.1

    302 Found Location: https://example.com/home Steal

37. Reality https://google.com/oauth?client_id=example HTTP/1.1 302 Found Location: https://example.com/oauth/callback?code=123 Set-Cookie: sid=123 HTTP/1.1

    302 Found Location: https://example.com/home Steal 1. Authorization code is single-use 2. Intermediate HTTP Redirect is transparent

38. XSS++OAuth 1. Perform Cookie Bomb Attack via XSS 2. Embed

    an iframe pointing to OAuth IdP 3. It redirects to target with the authorization code 4. Server rejects the request due to large header 5. Use XSS to get the authorization code from iframe URL

39. https://example.com https://google.com/oauth?client_id=example

40. https://example.com https://example.com/oauth/callback?code=123 iframe.contentWindow.location.href

41. None

42. Path & HttpOnly

43. This is a valid request True or False? POST /admin

    HTTP/1.1 [...] Cookie: csrf_token=foo; csrf_token=bar
44. None

45. Cookie Tossing • Cookie key consists of the tuple (name,

    domain, path) • Each cookie-key-value has their own attribute list • (Sub)domains can force a cookie with the same name to other (sub)domains • Browser sends all cookies of the same name without attributes • Server thus has no way to tell which one is from which domain/path

46. GitHub Pages used to be on *.github.com

47. None

48. Scenario • Had an XSS on ton.twitter.com where contents are

    static • twitter.com uses auth_token for session ID and _twitter_sess for storing CSRF token • Could modify _twitter_sess with an attacker-known value and have site-wide CSRF • However it’s protected by HttpOnly

49. HttpOnly • Cookies with this flag cannot be read/write from

    JavaScript API • Safari before version 12 has a bug that allows writing to HttpOnly cookies with JavaScript API • Cookie Tossing can also help “bypass” this flag, as you can create a cookie with the same name but different key tuple

50. Expectation Name Value Domain _twitter_sess original _twitter_sess attacker’s .twitter.com POST

    /i/tweet/create HTTP/1.1 [...] Cookie: _twitter_sess=attackers; _twitter_sess=original authenticity_token=attacker-known

51. Reality Name Value Domain _twitter_sess original _twitter_sess attacker’s .twitter.com POST

    /i/tweet/create HTTP/1.1 [...] Cookie: _twitter_sess=original; _twitter_sess=attackers; authenticity_token=attacker-known

52. –RFC 6265 (5.4) 2. The user agent SHOULD sort the

    cookie-list in the following order: * Cookies with longer paths are listed before cookies with shorter paths. * Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.

53. Precedence matters • Specs do not mention how to handle

    duplicate cookies • Most servers accept the first occurrence of cookies with the same name (think of HPP) • Most browsers place cookies created earlier first

54. –RFC 6265 (5.4) 2. The user agent SHOULD sort the

    cookie-list in the following order: * Cookies with longer paths are listed before cookies with shorter paths. * Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.

55. Revised Attack Name Value Domain Path _twitter_sess original / _twitter_sess

    attacker’s .twitter.com /i/ POST /i/tweet/create HTTP/1.1 [...] Cookie: _twitter_sess=attackers; _twitter_sess=original authenticity_token=attacker-known

56. –RFC 6265 (6.1) Practical user agent implementations have limits on

    the number and size of cookies that they can store. General-use user agents SHOULD provide each of the following minimum capabilities: o At least 4096 bytes per cookie (as measured by the sum of the length of the cookie's name, value, and attributes). o At least 50 cookies per domain.

57. Overflowing Cookie Jar • Another way to “overwrite” a HttpOnly

    cookie is to remove it • Browsers have a limitation on how many cookies a domain can have • When there is no space, older cookies will get deleted • Drawback: it’s not always easy to know how many cookies a victim has (tracking cookies are unpredictable)

58. More Cookie Tossing Application

59. Self-XSS to full XSS Selectively forcing attacker’s session cookie on

    certain paths

60. https://attacker.myshopify.com https://attacker.myshopify.com/admin/oauth/authorize?client_id=editor https://script-editor.shopifycloud.com/oauth/callback?code=attackers document.cookie='_master_udr=attackers;path=/admin/oauth https://victim.myshopify.com/admin/oauth/authorize?client_id=editor https://script-editor.shopifycloud.com/oauth/callback?code=victims Login “CSRF” Re-login victim

    Self-XSS in iframe executing with victim’s session

61. Session Fixation Forcing attacker’s session cookie with a subdomain XSS

62. https://script-editor.shopifycloud.com document.cookie='_flow_session=attackers;domain=.shopifycloud.com' https://victim.myshopify.com/admin/oauth/authorize?client_id=flow GET /oauth/callback?code=victims HTTP/1.1 Host: flow.shopifycloud.com Cookie: _flow_session=attackers

    Force a session cookie scoped to .shopifycloud.com using XSS OAuth redirect with authorization code

63. Implementation Discrepancy

64. Multiple Cookies at Once? • We can only set one

    cookie at a time in a single Set- Cookie header • However, the older specs allow setting multiple in a single Set-Cookie header

65. Cookie based XSS Exploiting limited Cookie Injection with Safari

66. –RFC 2109 (4.2.2) “Informally, the Set-Cookie response header comprises the

    token Set-Cookie:, followed by a comma-separated list of one or more cookies.”

67. Set-Cookie: foo=123; path=/admin; HttpOnly;, bar=456; Secure GET /admin HTTP/1.1 [...]

    Cookie: foo=123; bar=456 Works in Safari before version 10

68. https://outlook.live.com/owa/?realm=hotmail.com;, ClientId='-alert(2)-' HTTP/1.1 200 OK [...] Set-Cookie: realm=hotmail.com;, ClientId='-alert(2)-' GET

    / HTTP/1.1 [...] Cookie: realm=hotmail.com; ClientId='-alert(2)-' window.clientId = ''-alert(2)-''; Safari sets 2 cookies

69. CSRF Cookie Injection Server accepting comma separated cookies

70. –RFC 2965 (3.3.4) “For backward compatibility, the separator in the

    Cookie header is semi-colon (;) everywhere. A server SHOULD also accept comma (,) as the separator between cookie-values for future compatibility.”

71. http://blackfan.ru/r/,m5_csrf_tkn=x,;domain=.twitter.com;path=/ __utmz=123456.123456789.11.2.utmcsr=blackfan.ru|utmccn=(referral)|utmcct=/ r/,m5_csrf_tkn=x POST /messages/follow HTTP/1.1 [...] Cookie: __utmz=123456.123456789.11.2.utmcsr=blackfan.ru| utmccn=(referral)|utmcct=/r/,m5_csrf_tkn=x

    m5_csrf_tkn=x Cookie set by Google Analytics on translation.twitter.com scoped to .twitter.com Twitter’s server parses it as 2 cookies

72. Defense

73. Cookie Prefixes • Cookies prefixed with __Host- cannot have Domain

    attribute • This prevents (sub)domains from forcing a cookie the current domain doesn’t want • Cookies intended for (sub)domains are still vulnerable to Cookie Tossing • Use a separate domain for user generated assets
74. None

75. Servers must only follow RFC 6265

76. PSA: CSRF & others will be dead in 2020

77. Q&A find me on Twitter @filedescriptor