Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
DanBoneh
Web Security: Session Management
CS155
DanBoneh
Sameoriginpolicy:reviewReview:SameOriginPolicy(SOP)forDOM:
–OriginAcanaccessoriginB’sDOMifmatchon(scheme,domain,port)
Thislecture:SameOriginalPolicy(SOP)forcookies:
– Basedon:([scheme], domain,path)
optional
scheme://domain:port/path?params
DanBoneh
scope
Setting/deleting cookies by server
Default scope is domain and path of setting URL
Browser ServerGET …
HTTP Header:Set-cookie: NAME=VALUE ;
domain = (when to send) ;path = (when to send)secure = (only send over SSL);expires = (when expires) ;HttpOnlySameSite = [lax | strict]
ifexpires=NULL:thissessiononly
ifexpires=pastdate:browserdeletescookie
weakXSSdefense
weakCSRFdefense
DanBoneh
Scope setting rules (write SOP)
domain:anydomain-suffixofURL-hostname,exceptTLD
example:host=“login.site.com”
• login.site.com cansetcookiesforallof.site.com butnotforanothersiteorTLD
Problematicforsiteslike.stanford.edu (andsomehostingcenters)
path:canbesettoanything
allowed domainslogin.site.com
.site.com
disallowed domainsother.site.comothersite.com
.com
DanBoneh
Cookies are identified by (name,domain,path)
Both cookies stored in browser’s cookie jarboth are in scope of login.site.com
cookie 1name = useridvalue = testdomain = login.site.compath = /secure
cookie 2name = useridvalue = test123domain = .site.compath = /secure
distinctcookies
DanBoneh
Reading cookies on server (read SOP)
BrowsersendsallcookiesinURLscope:
• cookie-domainisdomain-suffixofURL-domain,and
• cookie-pathisprefixofURL-path,and
• [protocol=HTTPSifcookieis“secure”]
Goal:serveronlyseescookiesinitsscope
Browser ServerGET//URL-domain/URL-pathCookie:NAME=VALUE
DanBoneh
Examples
http://checkout.site.com/http://login.site.com/https://login.site.com/
cookie1name=useridvalue=u1domain=login.site.compath=/secure
cookie2name=useridvalue=u2domain=.site.compath=/non-secure
both set by login.site.com
cookie:userid=u2cookie:userid=u2cookie:userid=u1;userid=u2
DanBoneh
Clientsideread/write:document.cookieSettingacookieinJavascript:
document.cookie=“name=value;expires=…;”
Readingacookie: alert(document.cookie)prints stringcontainingallcookiesavailablefordocument(basedon[protocol],domain,path)
Deletingacookie:document.cookie=“name=;expires=Thu,01-Jan-70”
HttpOnly cookies:notincludedindocument.cookie
DanBoneh
javascript: alert(document.cookie)
Javascript URL
Displays all cookies for current document
DanBoneh
Viewing/deleting cookies in Browser UI
DanBoneh
Cookieprotocolproblems
DanBoneh
Cookie protocol problemsServerisblind:
– Doesnotseecookieattributes(e.g.secure,HttpOnly)– Doesnotseewhichdomainsetthecookie
Serveronlysees: Cookie:NAME=VALUE
DanBoneh
Example 1: login server problems1. Alicelogsinatlogin.site.com
login.site.com setssession-idcookiefor.site.com
2.Alicevisitsevil.site.comoverwrites.site.com session-idcookiewithsession-idofuser“badguy”
3.Alicevisitscourse.site.com tosubmithomeworkcourse.site.com thinksitistalkingto“badguy”
Problem:course.site.com expectssession-idfromlogin.site.com;cannottellthatsession-idcookiewasoverwritten
DanBoneh
Example 2: “secure” cookies are not secureAlicelogsinathttps://accounts.google.com
Alicevisitshttp://www.google.com (cleartext)• Networkattackercaninjectintoresponse
Set-Cookie:SSID=badguy;secureandoverwritesecurecookie
Problem:networkattackercanre-writeHTTPScookies!• HTTPScookievaluecannotbetrusted
set-cookie:SSID=A7_ESAgDpKYk5TGnf;Domain=.google.com;Path=/;Expires=Wed,09-Mar-202618:35:11GMT;Secure;HttpOnly
set-cookie:SAPISID=wj1gYKLFy-RmWybP/ANtKMtPIHNambvdI4; Domain=.google.com;Path=/;Expires=Wed,09-Mar-202618:35:11GMT;Secure
DanBoneh
Interaction with the DOM SOPCookieSOPpathseparation:
x.com/A doesnotseecookiesofx.com/B
Notasecuritymeasure:x.com/A hasaccesstoDOMofx.com/B
<iframe src=“x.com/B"></iframe>
alert(frames[0].document.cookie);
Pathseparationisdoneforefficiencynotsecurity:x.com/Aisonlysentthecookiesitneeds
DanBoneh
Cookies have no integrityUsercanchangeanddeletecookievalues
• Editcookiedatabase(FF:cookies.sqlite)• ModifyCookieheader(FF:TamperData extension)
Sillyexample:shoppingcartsoftwareSet-cookie: shopping-cart-total=150 ($)
Usereditscookiefile(cookiepoisoning):Cookie: shopping-cart-total=15 ($)
Similarproblemwithhiddenfields<INPUTTYPE=“hidden”NAME=priceVALUE=“150”>
16
DanBoneh17
Not so silly … (old)
• D3.COM Pty Ltd: ShopFactory 5.8• @Retail Corporation: @Retail• Adgrafix: Check It Out• Baron Consulting Group: WebSite Tool • ComCity Corporation: SalesCart• Crested Butte Software: EasyCart• Dansie.net: Dansie Shopping Cart• Intelligent Vending Systems: Intellivend• Make-a-Store: Make-a-Store OrderPage• McMurtrey/Whitaker & Associates: Cart32 3.0 • [email protected]: CartMan 1.04 • Rich Media Technologies: JustAddCommerce 5.0 • SmartCart: SmartCart• Web Express: Shoptron 1.2
Source:http://xforce.iss.net/xforce/xfdb/4621
DanBoneh
Solution: cryptographic checksums
Bindingtosession-id(SID)makesithardertoreplayoldcookies
Goal:dataintegrityRequiresserver-sidesecretkeykunknowntobrowser
Browser Server kSet-Cookie:NAME= value T
Cookie:NAME= value T
Generate tag: T ⟵ MACsign(k, SID ll name ll value )
Verify tag: MACverify(k, SID ll name ll value, T)
DanBoneh19
Example: ASP.NETSystem.Web.Configuration.MachineKey
– Secretwebserverkeyintendedforcookieprotection
Creatinganencryptedcookiewithintegrity:
HttpCookie cookie =new HttpCookie(name, val);HttpCookie encodedCookie=
HttpSecureCookie.Encode (cookie);
Decryptingandvalidatinganencryptedcookie:
HttpSecureCookie.Decode (cookie);
DanBoneh
SessionManagement
DanBoneh
SessionsAsequenceofrequestsandresponsesfromonebrowsertoone(ormore)sites
– Sessioncanbelong(e.g.Gmail)orshort– withoutsessionmgmt:
userswouldhavetoconstantlyre-authenticate
Sessionmgmt:authorizeuseronce;– Allsubsequentrequestsaretiedtouser
DanBoneh
Pre-history: HTTP authHTTP request: GET /index.htmlHTTP response contains:
WWW-Authenticate: Basic realm="Password Required“
Browsers sends hashed password on all subsequent HTTP requests:Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ=
DanBoneh
HTTP auth problemsHardlyusedincommercialsites:
• Usercannotlogoutotherthanbyclosingbrowser– Whatifuserhasmultipleaccounts?multipleusersonsamemachine?
• Sitecannotcustomizepassworddialog
• Confusingdialogtousers
• Easilyspoofed
DanBoneh
Session tokensBrowser
GET/index.html
setanonymoussessiontoken
GET/books.htmlanonymoussessiontoken
POST/do-loginUsername&password
elevatetoalogged-insessiontoken
POST/checkoutlogged-insessiontoken
checkcredentials(crypto)
Validatetoken
website
DanBoneh
Storing session tokens: Lots of options (but none are perfect)
Browsercookie:Set-Cookie:SessionToken=fduhye63sfdb
EmbedinallURLlinks:https://site.com/checkout?SessionToken=kh7y3b
Inahiddenformfield:<inputtype=“hidden”name=“sessionid” value=“kh7y3b”>
DanBoneh
Storing session tokens: problemsBrowsercookie:browsersendscookiewitheveryrequest,
evenwhenitshouldnot(CSRF)
EmbedinallURLlinks:tokenleaksviaHTTPReferer header
Inahiddenformfield:doesnotworkforlong-livedsessions
Bestanswer:acombinationofalloftheabove.
(orifuserpostsURLinapublicblog)
DanBoneh
The HTTP referer header
Referer leaksURLsessiontokento3rd parties
Referer supression:• notsentwhenHTTPSsitereferstoanHTTPsite• inHTML5:<a rel=”noreferrer” href=www.example.com>
DanBoneh
The Logout ProcessWebsitesmustprovidealogoutfunction:• Functionality:letusertologinasdifferentuser• Security:preventothersfromabusingaccount
Whathappensduringlogout:1.DeleteSessionToken fromclient2.Marksessiontokenasexpiredonserver
Problem:manywebsitesdo(1)butnot(2)!!⇒ EspeciallyriskyforsiteswhofallbacktoHTTPafterlogin
DanBoneh
Sessionhijacking
DanBoneh
SessionhijackingAttackerwaitsforusertologin
thenattackerstealsuser’sSessionTokenand“hijacks” session
⇒ attackercanissuearbitraryrequestsonbehalfofuser
Example:FireSheep [2010]
FirefoxextensionthathijacksFacebooksessiontokensoverWiFi.Solution:HTTPSafterlogin
DanBoneh
Beware: Predictable tokensExample1: counter
⇒ userlogsin,getscountervalue,canviewsessionsofotherusers
Example2:weakMAC.token={ userid,MACk(userid)}• WeakMACexposes k fromfewcookies.
ApacheTomcat:generateSessionId()• ReturnsrandomsessionID[serverretrievesclientstatebasedonsess-id]
DanBoneh
Sessiontokensmustbeunpredictabletoattacker
Togenerate:useunderlyingframework(e.g.ASP,Tomcat,Rails)
Rails:token=MD5(currenttime,randomnonce )
DanBoneh
Beware:SessiontokentheftExample1:loginoverHTTPS,butsubsequentHTTP• EnablescookietheftatwirelessCafé (e.g.Firesheep)• Otherwaysnetworkattackercanstealtoken:
– SitehasmixedHTTPS/HTTPpages⇒ tokensentoverHTTP– Man-in-the-middleattacksonSSL
Example2:CrossSiteScripting(XSS)exploits
Amplifiedbypoorlogoutprocedures:– Logoutmustinvalidatetokenonserver
DanBoneh
Mitigating SessionToken theft by binding SessionToken to client’s computer
ClientIPaddr:makesithardertousetokenatanothermachine– ButhonestclientmaychangeIPaddr duringsession
• clientwillbeloggedoutfornoreason.
Clientuseragent: weakdefenseagainsttheft,butdoesn’thurt.
SSLsessionid:sameproblemasIPaddress(andevenworse)
Acommonidea:embedmachinespecificdatainSID
DanBoneh
SessionfixationattacksSupposeattackercansettheuser’ssessiontoken:• ForURLtokens,trickuserintoclickingonURL• Forcookietokens,setusingXSSexploits
Attack:(say,usingURLtokens)
1. Attackergetsanonymoussessiontokenforsite.com
2. SendsURLtouserwithattacker’ssessiontoken
3. UserclicksonURLandlogsintosite.com– thiselevatesattacker’stokentologged-intoken
4. Attackeruseselevatedtokentohijackuser’ssession.
DanBoneh
Sessionfixation:lesson
When elevating user from anonymous to logged-in:
always issue a new session token
After login, token changes to value unknown to attacker
⇒ Attacker’s token is not elevated.
DanBoneh
Summary
• Alwaysassumecookiedataretrievedfromclientisadversarial
• Sessiontokensaresplitacrossmultipleclientstatemechanisms:– Cookies,hiddenformfields,URLparameters– Cookiesbythemselvesareinsecure(CSRF,cookieoverwrite)– Sessiontokensmustbeunpredictableandresisttheftbynetworkattacker
• Ensurelogoutinvalidatessessiononserver
DanBoneh
THEEND