Re: How to protect against cookie stealing?

[Mark Reardon <riscorp () mindspring com>]

-------Original Message-------
From: Phil Cox <Phil.Cox () SystemExperts com>
Sent: 07/24/03 01:33 AM
To: webappsec () securityfocus com
Subject: How to protect against cookie stealing?

> All,

I have a question on how people are handling cookie stealing and session
segregation. For example, it is possible to use session cookie information
on multiple systems for most (all?) web applications I know of.  Here is a
scenario:

When a user logs in he is assigned a BLAH_SESSIONID cookie which serves as
an authorization mechanism in the application.  The application  does not
associate the cookie to any session-specific information (e.g., source IP
address), so another user can also use the BLAH_SESSIONID cookie to access
the same information (over a different TCP/IP session) that the legitimate
user can.  If an attacker obtains, or guesses a valid BLAH_SESSIONID
cookie
for an active session, he can use it without the user's knowledge. For
example, I was able to execute the following command using an
BLAH_SESSIONID
that was obtained from another session: Command on Linux box: 

  # curl -b "BLAH_SESSIONID=0000FDHTNLVY5WX"
https://somesite.com/App/Function? 

  Returns the page: (some portion of the returned page)

Historically I have believed that having the application associate the
BLAH_SESSIONID session cookie and its associated privileges with a
specific
SSL session or source IP address would prevent this session stealing. But
recently I have been told that this solution does not work because of the
dynamic IP nature of MANY ISP's and the disassociation of SSL/HTTP. I
would
like to know what others are doing to solve this problem, or if they are
just not solving it at all.

Thoughts and comments are appreciated...

Phil


> End of Original Message

Two issues:

1. If I understand your statement about IP address and SSL session association, then I believe there is a flaw in the 
logic. The browsing computer or server in a session must not change since the computer must have the keys for the SSL 
session. If, for example, a server changes, then a new SSL session must be negotiated and this tends to cause a burp in 
session performance. Therefore, this does not normally occur.

There may be something I don't understand here but please read on.

2. Any static cookie is subject to being stolen. What the government used to require of internet banks (1995 and 1996) 
was that cookies had to change on a per screen (or action) basis. If the wrong cookie was received the session was 
logged out. 

I believe we used a random number that was then encrypted. The key that was derived from a hash of bits such as the 
host portion of the browser's network socket and the browser's identifying HTTP string. Thus, each session had 
potentially a different key value that was recoverable from the information available to a CGI. 

Since each screen had a different random value, the combination caused hard crack attempts to be too time consuming and 
frankly, difficult, to be of value. We also had a short timeout so an idle browser only had so much exposure. It wasn't 
perfect but it closed things down a bit.

We stored the random value in our backend database. The advanage of this is that the web servers could fail over 
(causing an SSL session renegotiation) and the banking session would not die. However, if the browser were to fail over 
or change IP address, we would have logged the user out of their session due to a bad cookie.



Mark

----
Mark Reardon
Reardon Information Security Corporation
(404) 444-0041