cookie security
play

Cookie Security Myths and Misconceptions David Johansson OWASP - PowerPoint PPT Presentation

Aug 23, 2022 •284 likes •613 views

Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me David Johansson (@securitybits) Security consultant with 10 years in AppSec Helping clients design and build secure software Develop

  1. Cookie Security Myths and Misconceptions David Johansson – OWASP London 30 Nov. 2017

  2. About Me • David Johansson (@securitybits) – Security consultant with 10 years in AppSec – Helping clients design and build secure software – Develop and deliver security training – Based in London, working for Synopsys

  3. Cookie Security • Why talk about Cookie Security? Cookie security is somewhat broken…

  4. Agenda • Cookie Basics • The ‘Secure’ Attribute • The ‘HttpOnly’ Attribute • The ‘Path’ Attribute • The ‘Domain’ Attribute • Cookie Lifetime • Modern Cookie Protections • Summary

  5. Background COOKIE BASICS

  6. History of HTTP Cookies Cookies are based on an old recipe: • 1994 – Netscape draft • 1997 – RFC 2109 • 2000 – RFC 2965 • 2002 – HttpOnly • 2011 – RFC 6265 • 2017 – RFC 6265bis (draft) “Classic Film” (https://www.flickr.com/photos/29069717@N02/)

  7. HTTP Cookies • Cookies are sent in HTTP headers Subsequent client request Server response HTTP/1.1 200 OK GET /index.html HTTP/1.1 … … Set-Cookie: Cookie: id=2bf353246gf3; id=2bf353246gf3; Secure; lang=en HttpOnly Set-Cookie: lang=en; Expires=Wed, 09 Jun 2021 10:18:14 GMT • Attributes influence how cookies are managed by the client (e.g., browser)

  8. Keeping Cookies Secure from Network-level Attackers THE ‘SECURE’ ATTRIBUTE

  9. The ‘Secure’ Attribute “Cookies marked with the ‘Secure’ attribute are only sent over encrypted HTTPS connections and are therefore safe from man- in-the- middle attacks.” – True or false?

  10. The ‘Secure’ Attribute • The ‘Secure’ attribute only protects the confidentiality of a cookie against MiTM attackers – there is no integrity protection!* – Mallory can’t read ‘secure’ cookies – Mallory can still write/change ‘secure’ cookies

  11. Keeping JavaScript’s Hands Away from the Cookie Jar THE ‘HTTPONLY’ ATTRIBUTE

  12. The ‘HttpOnly’ Attribute “Cookies marked with the ‘HttpOnly’ attribute are not accessible from JavaScript and therefore unaffected by cross- site scripting (XSS) attacks.” – True or false?

  13. The ‘HttpOnly’ Attribute • Only confidentiality protected in practice • HttpOnly-cookies can be replaced by overflowing the cookie jar from JavaScript Picture by Greg Putrich (flickr.com)

  14. Overwriting a Cookie Marked as ‘HttpOnly’ from JavaScript DEMO

  15. Isolating Cookies to Specific Paths THE ‘PATH’ ATTRIBUTE

  16. The ‘Path’ Attribute “The ‘Path’ attribute limits the scope of a cookie to a specific path on the server and can therefore be used to prevent unauthorized access to it from other applications on the same host.” – True or false?

  17. The ‘Path’ Attribute • Cookie Scope vs. Same-origin Policy Cookie Scope Same-origin Policy Port & Path Host/domain Protocol

  18. The ‘Path’ Attribute • Two different applications on shared host: – https://example.com/App1/ – https://example.com/App2/ Not isolated in /App1 terms of SOP! Isolated in terms https example of cookie scope (443) .com /App2

  19. Only Send Cookie to Intended Host(s) THE ‘DOMAIN’ ATTRIBUTE

  20. The ‘Domain’ Attribute “The ‘Domain’ attribute should be set to the origin host to limit the scope to that particular server. For example if the application resides on server app.mysite.com, then it should be set to domain=app.mysite.com” – True or false?

  21. The ‘Domain’ Attribute • With domain set, cookies will be sent to that domain and all its subdomains • The risk with subdomains is lower than when scoped to parent domain, but still relevant • Remove domain attribute to limit cookie to origin host only – Important note: IE will always send to subdomains regardless

  22. Limiting Exposure of Cookies COOKIE LIFETIME

  23. Cookie Lifetime “A session cookie , also known as an in-memory cookie or transient cookie , exists only in temporary memory while the user navigates the website.” (Wikipedia) – True or false?

  24. Cookie Lifetime • It’s up to the browser to decide when the session ends • ‘Non - persistent’ session cookies may actually be persisted to survive browser restart https://developer.mozilla.org/en-US/docs/Web/API/document/cookie

  25. RFC6265bis: Making Improvements to the Cookie Recipe MODERN COOKIE PROTECTIONS

  26. Strict Secure Cookies • Makes ‘secure’ cookies a little more secure by adding integrity protection • Prevents plain-text HTTP responses from setting or overwriting ‘secure’ cookies • Attackers still have a window of opportunity to “pre - empt” secure cookies with their own

  27. Cookie Prefixes • Problem: – Server only sees cookie name and value in HTTP request, no information about its attributes – Impossible for server to know if a cookie it receives was set securely • Solution: – ‘Smuggle’ information to server in cookie name – "__Secure-" prefix – "__Host-" prefix

  28. The ‘SameSite’ Attribute • Problem: – Cookies are sent with all requests to a server, regardless of request origin – Attackers can abuse this by initiating authenticated cross-origin requests, e.g., CSRF, XSSI, etc. • Solution: – New cookie attribute SameSite=[Strict|Lax] – Prevents cookies from being attached to cross-origin requests

  29. SUMMARY

  30. Summary • Key Takeaways: – Cookies are still largely based on a draft from 1994 – The security model has many weaknesses – Don’t build your application on false assumptions about cookie security – Application and framework developers should take advantage of new improvements to cookie security – Beware that not all browsers are using the same cookie recipe (yet)

  31. The ‘Ultimate’ Cookie • Is there an ‘ultimate’ cookie configuration? • This is probably the most secure configuration we have for now: Set-Cookie: __Host- SessionID=3h93…; Path=/;Secure;HttpOnly;SameSite=Strict

  32. The End Questions? @securitybits

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f;

Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f;

Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f; Expires=Wed, 09 Jun 2012 10:18:14 GMT Name Value Expiration Time Browser returns cookies in headers of later requests: Cookie: session=0x4137fd6a CS

701 views • 4 slides
Third to Fifth Grade Interpreting Student Work Task: Cookie Dough Chocolate Chip Cookie Dough

Third to Fifth Grade Interpreting Student Work Task: Cookie Dough Chocolate Chip Cookie Dough

Third to Fifth Grade Interpreting Student Work Task: Cookie Dough Chocolate Chip Cookie Dough Grade Level: 3 $5 a tub Subject: Math Peanut Butter Source: NYC Clear Creek School is fundraising. They Cookie Dough Department of $4 a tub

104 views • 6 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
COOKIE LEADERSHIP INSTITUTE LITTLE BROWNIE BAKERS What does it take to create a new ?

COOKIE LEADERSHIP INSTITUTE LITTLE BROWNIE BAKERS What does it take to create a new ?

COOKIE LEADERSHIP INSTITUTE LITTLE BROWNIE BAKERS What does it take to create a new ? Girl Scout Cookie? COOKIE LEADERSHIP INSTITUTE LITTLE BROWNIE BAKERS Theres a science that goes into every cookie food and nutrition

160 views • 12 slides
Third to Fifth Grade Planning Instruction to Support Students Chocolate Chip Task: Cookie Dough

Third to Fifth Grade Planning Instruction to Support Students Chocolate Chip Task: Cookie Dough

Third to Fifth Grade Planning Instruction to Support Students Chocolate Chip Task: Cookie Dough Cookie Dough Grade Level: 3 $5 a tub Subject: Math Peanut Butter Source: NYC Clear Creek School is fundraising. They Cookie Dough Department

527 views • 8 slides
Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I:

Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I:

Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I: Introduction to Programming Local variables, scopes, and complexity Autumn 2019 October 31, 2019 Example Cookie Calculator Cookie Calculator

685 views • 13 slides
Team Training Welcome to the 2019 Cookie Program Service Unit Product Program Team Get to

Team Training Welcome to the 2019 Cookie Program Service Unit Product Program Team Get to

Troop Cookie Team Training Welcome to the 2019 Cookie Program Service Unit Product Program Team Get to know your Service Unit Cookie Team! They are your mentors though the season and are a wealth of information. They can help

914 views • 75 slides
Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide

Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide

Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide state Examples: Items in shopping cart AuthenFcaFon! Cookies Passwords! Username + Password = Cookie If I know your authenFcaFon

712 views • 7 slides
Cookie Time Overview Business Framework BHAG Our Guiding Principles Our Values The Cookie Time

Cookie Time Overview Business Framework BHAG Our Guiding Principles Our Values The Cookie Time

Cookie Time Overview Business Framework BHAG Our Guiding Principles Our Values The Cookie Time Way Team Purpose / Rules Team Purpose Rule 1 Rule 2 Rule 3 The Board Making Big

343 views • 18 slides
Validation of HTTP cookie domains Yngve N. Pettersen Opera Software ASA draft

Validation of HTTP cookie domains Yngve N. Pettersen Opera Software ASA draft

Validation of HTTP cookie domains Yngve N. Pettersen Opera Software ASA draft -pettersen-dns-cookie-validate-00.txt draft -pettersen-subtld-structure-00.txt HTTP Cookies HTTP Cookies are named values sent to the client by the server, which the

424 views • 9 slides
Access or re-use of PSI? A cookie if you get it right! Katleen Janssen ICRI K.U.Leuven

Access or re-use of PSI? A cookie if you get it right! Katleen Janssen ICRI K.U.Leuven

Access or re-use of PSI? A cookie if you get it right! Katleen Janssen ICRI K.U.Leuven IBBT Joep Crompvoets Public Management Institute, K.U.Leuven Back in the day... Freedom of information Sweden 1766, UN Assembly 1946, USA

476 views • 6 slides
C -> S: GET http://www.example.com/ S -> C: page, including a login form C -> S: GET

C -> S: GET http://www.example.com/ S -> C: page, including a login form C -> S: GET

C -> S: GET http://www.example.com/ S -> C: page, including a login form C -> S: GET http://www.example.com/login? u=USER&p=PASSWD [server marks this session as authenticated] S -> C: Set-Cookie: sessionid= NONCE (Cookie is an

686 views • 19 slides
COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your

COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your

CS 498RK SPRING 2020 COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your computer so that a site can remember you and what you did on subsequent visits Bro w se r Serve r first request

340 views • 23 slides
Please choose a fortune cookie Open and read the question to your table Have everyone

Please choose a fortune cookie Open and read the question to your table Have everyone

Please choose a fortune cookie Open and read the question to your table Have everyone at your table answer the question 1: 1:00 00 -2: 2:15 am 15 am Prep epar aring for S Succe ccessful M Meet eetings* Atriu trium B

932 views • 61 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Direct defense b. Stack Cookie; Canary -

713 views • 26 slides
NETWORK SCIENCE vs WIKILEAKS etc. Lovro Subelj Cookie seminar at FRI 19.3.2015

NETWORK SCIENCE vs WIKILEAKS etc. Lovro Subelj Cookie seminar at FRI 19.3.2015

NETWORK SCIENCE vs WIKILEAKS etc. Lovro Subelj Cookie seminar at FRI 19.3.2015 ACKNOWLEDGEMENTS Aleksandar Angelina Peter Marko Slavko Marinka Julian KARATE CLUB NETWORK 17 16 23 15 6 31 19 7 11 9 21 33 5 14 34 10 30

872 views • 15 slides
Controlled Phased Lifting of COVID-19 Restrictions in Qatar June 8 th , 2020 Wit ith an im

Controlled Phased Lifting of COVID-19 Restrictions in Qatar June 8 th , 2020 Wit ith an im

Controlled Phased Lifting of COVID-19 Restrictions in Qatar June 8 th , 2020 Wit ith an im impactful response taking effect, preparation for lif lifting restr trictions started Comparison of COVID 19 statistics in Qatar Perspectives with

162 views • 15 slides
Applying for Somerville CPA Funds: what you need to know FY17 Historic Resources & Open

Applying for Somerville CPA Funds: what you need to know FY17 Historic Resources & Open

Applying for Somerville CPA Funds: what you need to know FY17 Historic Resources & Open Space/Recreation Land CPA Overview What is the Community Preservation Act? Massachusetts law that 161 municipalities have adopted to create a fund

607 views • 35 slides
Funding Landscape for Telemental Health: a National Perspective Nancy Rowe Associate Director

Funding Landscape for Telemental Health: a National Perspective Nancy Rowe Associate Director

8/9/2019 Funding Landscape for Telemental Health: a National Perspective Nancy Rowe Associate Director for Outreach & Public Policy Southwest Telehealth Resource Center & Arizona Telemedicine Program 1 8/9/2019 Medicare &

349 views • 9 slides
Some Practical Applications of Con- straints planning, scheduling, timetabling (see

Some Practical Applications of Con- straints planning, scheduling, timetabling (see

Some Practical Applications of Con- straints planning, scheduling, timetabling (see Outline ILOG solver esp ecially) conguration what is a constraint electrical circuit analysis, synthesis, and di-

155 views • 14 slides
of the food industry Karolline Krambeck 1, *, Ana Oliveira 2 , Delfim Santos 1 , Manuela E. Pintado

of the food industry Karolline Krambeck 1, *, Ana Oliveira 2 , Delfim Santos 1 , Manuela E. Pintado

Evaluation of stilbenes content in Passiflora edulis by-products of the food industry Karolline Krambeck 1, *, Ana Oliveira 2 , Delfim Santos 1 , Manuela E. Pintado 2 , Joo B. Silva 3 , Jos M. S. Lobo 1 and Maria Helena Amaral 1 1 UCIBIO,

429 views • 12 slides
MOL2NET, 2018, 4, http://sciforum.net/conference/mol2net-04 2 Introduction Stilbenes are plant

MOL2NET, 2018, 4, http://sciforum.net/conference/mol2net-04 2 Introduction Stilbenes are plant

MOL2NET, 2018, 4, http://sciforum.net/conference/mol2net-04 1 MOL2NET, International Conference Series on Multidisciplinary Sciences MDPI Quantitative Structure-Antileukemic Activity Models of Stilbenoids: A Theoretical Study Adela Len Peris

681 views • 4 slides
Molecular docking and pharmacokinetic and toxicological predictions of natural compounds with

Molecular docking and pharmacokinetic and toxicological predictions of natural compounds with

Molecular docking and pharmacokinetic and toxicological predictions of natural compounds with anticholinesterasic activity Daniel Castro da Costa, Heldem Ronam Cristo Teixeira, Lorane Izabel da Silva Hage-Melim* 1 Laboratory of

408 views • 27 slides
Exploitation of PLGA conjugates in drug delivery Francesca SELMIN, PhD MIPOL Milan Polymer

Exploitation of PLGA conjugates in drug delivery Francesca SELMIN, PhD MIPOL Milan Polymer

Exploitation of PLGA conjugates in drug delivery Francesca SELMIN, PhD MIPOL Milan Polymer Days February 15-16, 2017 Implants are non -conventional drug delivery systems for parenteral implantation. Definition (Eur. Pham. 9 th ed

282 views • 12 slides

More recommend