Distill: Death to Cookies

Transcript

1. Death to Cookies Konstantin Haase @konstantinhaase

2. story time

3. None
4. None
5. None

6. once upon a time

7. None
8. None

9. Recipetastic™

10. None
11. None

12. Bob Alice

13. Bob Alice

14. Bob Alice Eve

15. Bob Alice Mallet

16. problem solved

17. None

18. POST /login HTTP/1.1 Host: www.recipetast.ic Content-Length: 44 [email protected]& password=st0p%20Motion

19. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob <html> ...

20. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob

21. Guessing

22. None
23. None
24. None

25. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: pwd=... <html>

    ...

26. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=...

27. GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=... Basic Auth, just

    with cookies

28. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: token=... <html>

    ...
29. None

30. XSS Cross Site Scripting

31. None

32. can read cookie and send it somewhere

33. None

34. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob; HttpOnly <html> ...

35. None

36. can read (and write) recipes

37. None

38. sanitize all user input

39. Content Security Policy

40. None

41. CSRF Cross Site Request Forgery

42. Is this awesome, y/n?

43. None

44. GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice

45. GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice Deadly cookies!

46. None

47. GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH

48. 1 2 PUT / 2 PUT / 2 Repeatable! :)

    State change! :( Deterministic! :) https://speakerdeck.com/rkh/we-dont-know-http

49. GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH

50. None
51. None
52. None

53. POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ...

54. POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ... Deadly cookies!

55. None

56. POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice

57. POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice

    [sic]
58. None
59. None

60. Referer is not set for FTP or HTTPS referrers

61. Referer can be spoofed by outdated flash plugin

62. None

63. POST /create HTTP/1.1 Host: www.recipetast.ic Origin: http://awesome- website.com Cookie: user=alice

64. None
65. None

66. Not supported by older browsers

67. Origin can probably be spoofed by outdated flash plugin

68. None

69. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: csrf_token=XXX

70. None
71. None

72. Cheating Same Origin

73. HTTP/1.1 200 OK Content-Type: application/json

74. An attacker could just load it, right?

75. AJAX can only load from the same origin (or CORS)

76. None

77. seems harmless

78. In JavaScript, you can override the array constructor.

79. https://github.com/rkh/json-csrf

80. None

81. Never serve JSON that has an array at top level

    (or don’t use cookies)
82. None

83. VBScript did not fully implement Same Origin

84. None

85. Block Internet Explorer before IE9

86. Block Internet Explorer before IE9

87. require CSRF token for all AJAX requests

88. None

89. Are we doing good so far?

90. None

91. Can we trust a cookie?

92. DNS cache poisoning

93. Can we trust the browser?

94. Can we trust browser plugins?

95. None
96. None

97. Signed Cookies

98. Encrypted Cookies

99. None

100. Eaves- dropping

101. encrypting cookies does not help

102. None
103. None
104. None

105. attacker cannot parse cookie from stream

106. None

107. Or can they?

108. BEAST Browser Exploit Against SSL/ TLS

109. decrypts TLS 1.0 streams via injected JavaScript

110. None

111. fixed in TLS 1.1

112. force recent browser

113. don’t allow TLS 1.0

114. None

115. CRIME Compression Ratio Info-leak Made Easy

116. SSL has built-in compression

117. GET /?user=alice HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob GET /?user=bob HTTP/1.1

     Host: www.recipetast.ic Cookie: user=bob better compression
118. None

119. update your browser

120. turn off SSL compression

121. append random number of bytes to response

122. None

123. BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

124. like CRIME, but for the response

125. attack the CSRF token, not the cookie

126. inject something in the response http://www.recipetast.ic/search?q=XXX

127. None

128. mask CSRF tokens differently in every response (Rails PR pending)

129. don’t use CSRF tokens

130. None

131. Do you think about all this when you build an

     app?

132. Next attack vector around the corner?

133. None

134. Alternatives

135. IP address

136. Session ID in URL

137. None

138. Custom Authorization header

139. None

140. Store value in Local Storage

141. Needs JavaScript :(

142. Works well with PJAX/ Turbo Links like setups

143. None

144. New Browser Concepts?

145. None

146. @konstantinhaase [email protected] rkh.im