HashCookies A Simple Recipe

Similar documents
The HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1

ECE697AA Lecture 2. Today s lecture

Getting Some REST with webmachine. Kevin A. Smith

Web Programming 4) PHP and the Web

The TCPProxy. Table of contents

Whatever it takes. Fixing SQLIA and XSS in the process. Diploma Thesis Outline Presentation, Florian Thiel

Introduc)on to Computer Networks

Common Websites Security Issues. Ziv Perry

Privacy defense on the Internet. Csaba Kiraly

HTTP Protocol and Server-Side Basics

Introduction to Ethical Hacking

UA-Tester.... or why Web-Application Penetration Testers are only getting half the story

Penetration Test Report

Produced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar

Introduction to HTTP. Jonathan Sillito

HTTP TRAFFIC CONSISTS OF REQUESTS AND RESPONSES. All HTTP traffic can be

CSCI-1680 WWW Rodrigo Fonseca

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Matt Terwilliger. Networking Crash Course

Secure Programming Lecture 9: Web Application Security (intro, authentication)

An HTTP-Based Versioning Mechanism for Linked Data. Presentation at

CSCI-1680 WWW Rodrigo Fonseca

Building next-gen Web Apps with WebSocket. Copyright Kaazing Corporation. All rights reserved.

HTTP Review. Carey Williamson Department of Computer Science University of Calgary

Lecture 3. HTTP v1.0 application layer protocol. into details. HTTP 1.0: RFC 1945, T. Berners-Lee HTTP 1.1: RFC 2068, 2616

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Abysssec Research. 1) Advisory information. 2) Vulnerability Information

World Wide Web, etc.

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

The Architecture of the World Wide Web

Proxying. Why and How. Alon Altman. Haifa Linux Club. Proxying p.1/24

The Architecture of the World Wide Web

CORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Corporation in the Middle. Lee

Amazon Simple Workflow Service. API Reference API Version

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

CS 43: Computer Networks. Layering & HTTP September 7, 2018

REST. Lecture BigData Analytics. Julian M. Kunkel. University of Hamburg / German Climate Computing Center (DKRZ)

The BIG-IP System With Intelligent Compression: Cutting Application Delivery Time and Optimizing Bandwidth

HTTP Reading: Section and COS 461: Computer Networks Spring 2013

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

CSWAE Certified Secure Web Application Engineer

Applications & Application-Layer Protocols: The Web & HTTP

The SSL security extension from a programmer's point of view How to write servers and clients in Java. The HTTP Protocol

White Paper: Next-Gen Network Traffic Analysis (NTA): Log-based NTA vs. Packet-based NTA

How the Internet Works

Kaazing Gateway: An Open Source

static phlapa.east.verizon.net /

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Certified Secure Web Application Engineer

::/Topics/Configur...

SECURE CODING ESSENTIALS

SECURING APACHE : ATTACKS ON SESSION MANAGEMENT

HTTP Authentication API

World-Wide Web Protocols CS 571 Fall Kenneth L. Calvert All rights reserved

Lecture 2: Applications and Application Programming

Web Architecture and Technologies

CS193i Handout #18. HTTP Part 5

Cookie Security. Myths and Misconceptions. David Johansson OWASP London 30 Nov. 2017

ICS 351: Today's plan. HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol

Web Application Forensics

Stopping Automated Application Attack Tools

High performance and scalable architectures

Yioop Full Historical Indexing In Cache Navigation. Akshat Kukreti

WEB SECURITY p.1

Zero Latency HTTP The comet Technique

Caching. Caching Overview

How to work with HTTP requests and responses

Security of. Cookies

The HTTP Protocol HTTP

CS144 Notes: Web Standards

Name Student ID Department/Year. Midterm Examination. Introduction to Computer Networks Class#: 901 E31110 Fall 2015

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

En#ty Authen#ca#on and Session Management

Session 9. Deployment Descriptor Http. Reading and Reference. en.wikipedia.org/wiki/http. en.wikipedia.org/wiki/list_of_http_headers

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Topics. Why Web Application Security? Web Security

cellip CELLIPS SMS INTERFACE DESCRIPTION HTTP GET INNEHÅLLSFÖRTECKNING

CSE 333 Lecture HTTP

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

ATS Test Documentation

CS 43: Computer Networks. HTTP September 10, 2018

Internet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

I apologize for being away last week...

02267: Software Development of Web Services

SECURECOMM. JumpBox A Seamless Browser Proxy for Tor Pluggable Transports. Jeroen Massar, Farsight Security, Inc. IPv6 Golden Networks

vrealize Log Insight Developer Resources

Assignment, part 2. Statement and concepts INFO-0010

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

REALIZATION CONCEPT Version: 1.02

HTTP, circa HTTP protocol. GET /foo/bar.html HTTP/1.1. Sviluppo App Web 2015/ Intro 3/3/2016. Marco Tarini, Uninsubria 1

Secure Session Management

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Web Security, Part 2

Transcription:

OWASP London Chapter - 21st May 2009 HashCookies A Simple Recipe Take a cookie Add some salt Add a sequence number John Fitzpatrick Full paper at http://labs.mwrinfosecurity.com

Structure What are hashcookies Benefits How they work Outcomes

What are HashCookies They are cookies which are hashed with a random salt Prevent an intercepted session ID being useful to an attacker What they are not They are not a means to secure data in transit. SSL does that.

Benefits Prevent an intercepted session ID being useful to an attacker Prevent session hijacking being feasible, whatever means are used to obtain the session. XSS, weak session IDs, session fixation, session IDs revealed through whatever means etc...

They make use of 3 values Session ID Salt Sequence Number

GET / HTTP/1.0 Host: www.mwrinfosecurity.com User Agent: Mozilla/7.0 (X11; U; Linux i986; en GB; rv:1.9.0.3) Accept: text/html,application/xml;q=0.9,*/*;q=0.8,hashcookie Accept Language: en gb,en;q=0.5 Accept Encoding: gzip,deflate Accept Charset: ISO 8859 1,utf 8;q=0.7,*;q=0.7 Keep Alive: 300 Proxy Connection: keep alive

HTTP/1.1 200 OK Date: Thu, 04 Dec 2008 17:37:29 GMT Server: server Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache Control: no store, no cache, must revalidate, post check=0, pre check=0 Set Cookie: SESSION=cb58609ecb4b8f5b4fd1235c7bd60aeb; salt=ea043ecb41517205154ddf8c658b6d0961c17fe3; path=/; Pragma: no cache Content Length: 4347 Keep Alive: timeout=5, max=100 Connection: Keep Alive Content Type: text/html

HashCookie = sha1(currentsessionid-salt-sequencenumber) Set Cookie: SESSION=cb58609ecb4b8f5b4fd1235c7bd60aeb; salt=ea043ecb41517205154ddf8c658b6d0961c17fe3; HashCookie = sha1( cb58609ecb4b8f5b4fd1235c7bd60aeb ea043ecb41517205154ddf8c658b6d0961c17fe3 1) = a29befed094761ea3dfa9e9de164b5fdfbc7d6a9

GET /nextpage.mwr HTTP/1.0 Host: www.mwrinfosecurity.com User Agent: Mozilla/7.0 (X11; U; Linux i986; en GB; rv:1.9.0.3) Accept: text/html,application/xml;q=0.9,*/*;q=0.8,hash cookie Accept Language: en gb,en;q=0.5 Accept Encoding: gzip,deflate Accept Charset: ISO 8859 1,utf 8;q=0.7,*;q=0.7 Keep Alive: 300 Proxy Connection: keep alive Cookie: SESSION=cb58609ecb4b8f5b4fd1235c7bd60aeb a29befed094761ea3dfa9e9de164b5fdfbc7d6a9 1 Pass the session ID and sequence number up with request too they form the cookie

Request to server Hash cookie valid? Y: Honour request N: Do not honour request

HashCookie = sha1(currentsessionid salt sequencenumber) Cookie = SessionID HashCookie sequencenumber

Out of order requests Multi Threading

This is where the sequence number is important Valid window of cookies

So what if we have a hashcookie with sequence number greater than that of next hashcookie pointer but with a valid hashcookie?

HashCookie = sha1(currentsessionid salt sequencenumber) Cookie = SessionID HashCookie sequencenumber

Server receives request Sequence number not in window? Reject Sequence number in available hashcookies window? HashCookie is valid? Remove hashcookie from window Increment Next hashcookie pointer Shift everything below it into Unused hashcookies window Honour request

HashCookie = sha1(currentsessionid salt sequencenumber) Cookie = SessionID HashCookie sequencenumber

So what if we have a cookie with sequence number less than that of next hashcookie pointer?

HashCookie = sha1(currentsessionid salt sequencenumber) Cookie = SessionID HashCookie sequencenumber

Server receives request Sequence number not in window? Reject Sequence number in unused hashcookies window? HashCookie not outside of acceptable range? Remove hashcookie from window Honour request

HashCookie = sha1(currentsessionid salt sequencenumber) Cookie = SessionID HashCookie sequencenumber

Outcomes Questions? Anyone broken it yet? Should we be looking to push for this type of improvement in our browsers/web servers? Is this something that we can see working? http://labs.mwrinfosecurity.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback