WebApp Sec mailing list archives
Re: [WEB SECURITY] cookies a fundamental threat?
From: Achim Hoffmann <kirke11 () securenet de>
Date: Mon, 1 May 2006 00:25:27 +0200 (MEST)
Thanks to Brian to open a new thread [5] on this subject. First of all I guess that there is a need to point to the right context where my statement (see subject) was made: it was in reply to Amit's [2] "There is no such thing as path security" so please don't confuse this issue with a more general "cookies are insecure". In the other thread "Fundamental error in Corsaire's paper?" starting at [1]) the focus is more on difference in other statements, not on cookies. Hence I didn't go into details why cookies can be insecure and therefore a threat for web applications. Now we have a new thread [5] to discuss this in detail. I guess that it will get a long one. ----------------------------- Said this, I'll try to explain why there is a threat, sometimes .. In the majority of cases web applications use cookies to transport the session ID or the like. Cookies, in this case, are commonly used as synonym for session ID. When I say that cookies are a threat to web applications, I only refer to this usage of cookies.
From this point of view, we have to look at all parts of this technique,
staring at the RFC, looking at the browser behavious, and how developers
currently use and rely on this. Finally we probably find and agree on
best practice according web application security.
When I said threat for web applications, it was according the problems
identified by Amit Klein [8] in contrary/difference to Martin O'Neal [7].
In addition to the discussion if cookie paths are something secure, I've
thrown in my observations about different browser behaviours [3] still
waiting for answers there:).
If we look at all these problems, which should not exist according the RFCs,
we see that cookie paths are something unreliable.
In addition to that, rule number one when talking about web application
security is "verify all input". But how would an application verify/validate
a cookie path? Simple question, simple answer: it cannot. Dot.
(Note: I'm not talking about cookie2 according RFC2965, or cookies with proper
encrypted value including the path)
As Amit said [4], the browser vendors should not be blamed.
Others say that application developers should not be blamed 'cause there're
so many applications, frameworks, tools in the wild which support cookies.
So the question remains: where to fix the security issue?
Application devolpers argue that they use standards (RFC), but they forget
to tell you that this standard relies on many things which could not be
enforced by the application. A hazardous trustment, IMHO.
Here are some threats which exists with the current usage of cookies, some of
them have been shown by others many times before. The follwoing list is
incomplete, just a few examples.
Problems which occour only with cookies, but not with hidden fields:
- cookie theft anywhere in the application
- cookie theft anywhere in the same domain (see [7], [8])
- cookie fixiation anywhere in the domain
These attacks are simple (just XSS) and are well known since a long time.
Even applications free of XSS vulnerabilities can be attacked.
These vulnerabilities lead to attacks like session hijacking, session fixation,
session riding (aka CSRF, web trojan) and some sort of DoS.
Additonally cookies are prone to attacks on server level (HTTP header for
example TRACE method). Keep in mind, that, even worse, the web server (TRACE
method) is not under control of the application nor its developers, usually.
In contary hidden fields can only be attacked within the application itself,
more specific in the page they are used. Session riding is impossible, session
fixation very hard, just session hijacking remains but is not simple too (I'm
talking about automated attacks, not shoulder surfing).
If we just compare this, there is one single point for an attack to hidden
fields, while cookies can be attacked anywhere, infinite posibilities ...
Using paths and secure flags for the cookie reduces the number of potential
attack points, but still not to one.
That's why I said that cookies are a threat to web applications.
Conclusion: if we assume that the sesion ID itself is secure (random, not
predicatble, etc. etc.) an application developer has nothing more to do for
web application security than ensuring that the page where it is used is
secure (free of XSS flaws for example), while with cookies at least the
whole application has to fit this requirement and also the server has to be
configurerd properly.
And even if that gets all fixed, the cookie solution suffers from knwon
browser bugs (path issues, cross domain issues, etc.).
Please correct me if I'm wrong.
Final note: I won't claim that hidden fields are better than cookies. I've
just shown a few examples where cookies loose. There're other techniques
like URL rewriting or basic/digest authentication, which all have their
pros and cons too.
Also note that anthing described here just covers the application's view of
security, in particular I don't care about sniffing, information disclosure
in logfiles or browser bugs, just on what this mailing list is for:
web application security.
Pointing to the problems and vulnerabilities is one part of web application
security, giving solutions or best practice another one. Up to now I left
out the best practice part, simply 'cause I guess there is no simple
to use suggestion, at least I don't know of any general one.
Hopefully the discussion here sheds more light on these problems.
{-: Achim
References
* Fundamental error in Corsaire's paper?
[1] http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00061.html
[2] http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00108.html
[3] http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html
[4] http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00105.html
* cookies a fundamental threat?
[5] http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00113.html
[6] http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00114.html
* Crosaire Paper
[7] http://www.corsaire.com/white-papers/040323-cookie-path-best-practice.pdf
* Path Insecuirty
[8] http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
Current thread:
- cookies a fundamental threat? Brian Eaton (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 02)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)? Pilon Mntry (Apr 30)