Cookie Specification Vulnerabilities
Pages: 1, 2
Inserting a Cookie into HTML
There are several ways to insert a cookie into HTML. The most simple is through a META-tag. Alternatives include JavaScript on the client-side, and every possible server-side technology such as CGI, PHP, and SSI. We will not consider client-side solutions, since they require the use of specific technologies that your hosting provider may not make available.
Using Cookies Through the META-tag
Here's an example of setting a cookie with a <META> tag:
<META HTTP-EQUIV="Set-Cookie" CONTENT="John=Hacker;
expires= Mon, 29-Dec-2003 03:00:00 GMT; path=/; domain=extrasy.net; secure">Using Cookies with JavaScript
This is the most popular way since it is simple enough for the developer, does not require any special server software, and can use dynamic data generated by JavaScript or entered by the user. Here is an example of JavaScript that applies those ideas:
<script language="JavaScript">
<!--
var username = GetCookie('username');
if (username == null) {
username = prompt('Enter your name or click Cancel','');
if (username == null) {
alert('Okay, you will be GUEST');
username = 'GUEST';
} else {
pathname = location.pathname;
myDomain = pathname.substring(0, pathname.lastIndexOf('/')) +'/';
var largeExpDate = new Date ();
largeExpDate.setTime(largeExpDate.getTime() + (365 * 24 * 3600 * 1000));
SetCookie('username', username, largeExpDate, myDomain);
}
}
function getCookieVal (offset) {
var endstr = document.cookie.indexOf (";", offset);
if (endstr == -1)
endstr = document.cookie.length;
return unescape(document.cookie.substring(offset, endstr));
}
function GetCookie (name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i, j) == arg)
return getCookieVal (j);
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0)
break;
}
return null;
}
function SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure"; : "");
}
document.write('<p align=center>Hello, ' + username + '</p>');
// --></SCRIPT>Cookie Attacks
As one sub-domain can only have 20 cookies, it's possible to exceed this limit if you have access to such a server. Upload the following HTML file on the server that the victim will use, such as the free email server described above.
<html><head>
<META HTTP-EQUIV="Set-Cookie" CONTENT="John01=Hacker01;
EXPIRES=Mon, 29-Dec-2004 03:03:03 GMT;">
<META HTTP-EQUIV="Set-Cookie" CONTENT="John02=Hacker02; EXPIRES=
Mon, 29-Dec-2004 03:03:03 GMT;">
...
<META HTTP-EQUIV="Set-Cookie" CONTENT="John20=Hacker20;
EXPIRES=Mon, Mon, 29-Dec-2004 03:03:03 GMT;">
</head></html>Add at least 20 such records. Save this file as cook.htm; we
will use it in other examples.
Another attack is to rewrite user cookies with empty or dummy data. This
exploits the cookies specification's limit of only 300 cookies. For this
attack, you need to register several sites on one of the numerous free hosting
providers' domain names, such as hack.site1.net, hack.site2.net, etc. Place on
each of them the above-mentioned cook.htm. The following
index.html, uploaded to any free host, will attack the user and
force the removal of all host cookies:
<html><head></head>
<frameset rows="0,0,0,0,0,0,0,0,0,0,0,0,0,0,*">
<frame scrolling="no" noresize target="hack.site1.net/cook.htm">
<frame scrolling="no" noresize target="hack.site2.net/cook.htm">
...
<frame scrolling="no" noresize target="hack.site15.net/cook.htm">
</frameset></html>Another attack could force the user's browser to load and store a couple of megabytes of garbage cookie information. Depending on his connection, this could cause a disconnection.
<META HTTP-EQUIV="Set-Cookie"
CONTENT="Data=You need to paste here 4kb of any trash data;
EXPIRES= Mon, 29-Dec-2003 03:03:03 GMT;">Cookie Status in Current Browsers
I would also like to provide a brief kick-test of the most popular browsers and the results of such cookie attacks. I've explored the browsers Internet Explorer, Netscape Communicator, Mozilla, and two console-only ones, Lynx and Links (which are mostly used on a Unix-running platforms).
The first attack produced expected results on all browsers. It is mostly not a technical attack, but a specification attack. However, it doesn't look to be very sensitive, as it will just render unavailable cookies for the specific domain. It could be fixed by disallowing cookies from non-authoritative sub-domains. Normally, it should not influence the work.
Moving forward, I've discovered that Netscape Communicator and Internet Explorer are not vulnerable to simple attacks, as described below. I did notice some strange cookie modifications by IE (in my tests it was Internet Explorer 5.00.2920.0000 with no Service Packs installed) during the attack of overloading the cookies cache with more then 300 cookies. Still, I suspect it's not vulnerable to such attacks.
As for text browsers Lynx and Links, I successfully attacked a cache of cookies using Lynx (2.8.4rel.1 from my sandbox) and Links (2.1pre11). From the other side, I can't say for sure that Lynx and Links are vulnerable browsers. Neither Lynx nor Links has a recently released version -- their releases are much like those I used for my tests. However, both of these browsers have development versions, and the results of attacks on the development versions differ greatly from the releases. I compromised the latest Lynx release version, which is 2.8.4, but the attack failed on the 2.8.5 dev 16, the latest available development version. I also failed to compromise Links browser links-2.1.pre14. This sounds like the developers are aware of security problems.
As for the Mozilla browser (Firebird from my sandbox) it also wasn't vulnerable, although it started swapping for about 30 to 60 seconds. I wasn't able to mention what changes have been made in the cache; everything kept working as it used to before the attacks.
To crown it all, I should say that the most modern and updated browsers are not vulnerable to simple cookie attacks, except for backdoors in the cookies specification. These are only fixable by good system-use policies.
Many of you may now say, "Oh, there is no need to worry about cookies now, my IE is not vulnerable!". But I've only performed tests for very, very simple cookie bugs. All these tests really indicate is that these browsers are pretty safe from kids' games, but not necessarily from professional attacks. If you refer to an archive of security papers devoted to cookies vulnerabilities of many versions of the different browsers, you won't feel so safe, although you will know better know what to protect yourself from.
Why did I consider only such simple attacks? Because of safety issues. I wanted to demonstrate vulnerability examples that are visible to any user merely familiar with the cookies specification. Unfortunately, there are many more complex ways to use cookies destructively. It's a pity, but there is no universal protection. If you disable cookies, you'll be locked out of many ubiquitous services. Installing additional programs to control and to supervise cookies can help, but it can be inconvenient.
Hopefully, a new cookie specification will soon emerge to provide the same useful service with more security. Until then, be careful.
Alexander Prohorenko is a certified professional, who holds Sun Certified System Administrator and Sun Certified Java Programmer certifications.
Return to the Security DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 7 of 7.
-
What About RFC 2965?
2004-05-12 23:26:57 Morxy [Reply | View]
Alexander faults the Netscape Cookie Specification (NCS) and then hopes a new, improved specification will emerge. But what about RFC 2109 (Feb 1997) and RFC 2965 (Oct 2000). These both suggest cookie improvements, with new HTTP headers (Set-Cookie2), a different way of specifying lifespan (Max-Agein seconds rather than an absolute date withExpires) and a protocol by which servers can revoke cookies they'd earlier left with clients.
All in all, this article is pretty helpful. It never hurts to be reminded of security vulnerabilities. But the NCS is 9 years old and has been obsoleted by 2 RFCs since. True, it seems most web applications and browsers still adhere to the NCS. But in 2004 we should be discussing cookies in light of RFC 2965. This article could've existed 7 years ago.
-
Full of errors
2004-04-06 02:17:44 afindlay [Reply | View]
There are just too many errors in this article for me to trust it. Some have already been mentioned by others, but here are a few more that can easily be checked by reading the Cookie Spec referred to in the article itself:
- Cookie size limits: the specification requires 300 cookies of 4kb as the minimum limit that the browser may impose. Browsers are permitted to store more. Over-size cookies are trimmed from the end, not by removing the first bytes (doing that would corrupt the name of the cookie).
- Cookies per server or domain: the limit is not '20 per second-level domain including sub-levels'. The specification actually says: '20 cookies per server or domain. (note that completely specified hosts and domains are treated as separate entities and have a 20 cookie limitation for each, not combined)'
- The section on setting domain parameters implies that these only work in the generic top-level domains. Fortunately for non-Americans, this is not true. The specification actually requires domain values under .COM .EDU etc to have at least two dots where others are required to have at least three. This is still not ideal, but is much better than the situation presented in the article.
- 'The path cannot be changed...' Wrong again: there would be no point in having the parameter if the application could not set it! There are things to be careful of though, e.g. path is tested using a leading-substring match, so path=/foo will match a URL pathname /foobar as well as /foo/baz
- Cookie Attacks: the example attack code just redefines the cookie called John 20 times over. To set 20 cookies it would need to give each one a different name.
It is not exactly helpful to end up with 'Until then, be careful' without also giving people some idea of how to be careful! 'Good system use policies' are indeed a good thing, but in this case, what are they??
Andrew Findlay
-
Misleading
2004-04-02 11:50:06 ryantate [Reply | View]
The article is titled "Cookie Specification Vulnerabilities." But it specifies just one actual "vulnerability," which isn't a security threat, just a headache: an untrusted web page can essentially clear out your existing cookies.
As for the hard work of actual summarizing cookie vulnerabilities for a large audience -- the ostensible point of the article -- the writer punts and merely states, "If you refer to an archive of security papers devoted to cookies vulnerabilities of many versions of the different browsers, you won't feel so safe, although you will know better know what to protect yourself from."
Alexander, if I wanted to delve into security papers on cookies, I wouldn't read your article in the first place. Don't waste my time.
-
So?
2004-04-02 10:57:39 hejazzman [Reply | View]
So? The examples point nothing special or dangerous.
The problems the article associates with cookies (such as bugs in the cookie specification) are not any different than hypothetical bugs in the implementation choosen browser. So, ok, if there are bugs, cookies may not be secure.
So what?
-
Misleading examples?
2004-04-02 03:25:48 fagzal [Reply | View]
I think your first two examples might be misleading.
Sensible websites do not store sensible informations in cookies: a HTTPS website storing private data in cookies is a total disaster anyways. If it did that, it might as well send back your credit card information to you via e-mail. I think this is rather a programming mistake than a cookie vulnerabity: even SSH is not secure if you use a one letter password (note: as one of our clients did some time ago :-)). A decent programmer must know how cookies work, and use them accordingly - e.g. use them for setting up sessions. Probably this is what the moral of your article should have been :-)
Also, as Raju has written, your comment on gTLDs is a little confusing: the domain can be any domain, including ccTLDs. (What is a "regional zone"?)
- Cs.
-
Mistakes?
2004-04-01 23:18:16 rajuvarghese1 [Reply | View]
I noticed two things in your article that I believe are mistakes:
1. In the sentence "We will not consider client-side solutions, ... that your hosting provider may not make available". Didn't you mean server-side solutions?
2. When explaining the domain key word in the cookie header, you say "This works only with COM, EDU, NET, ORG, GOV, MIL, and INT. It does not work in regional or other zones". Is this really true? Do you mean to say that cookie headers that contain the domain keyword if the domain is "mp3.ru" for example will not set a cookie?
Raju
Do lazy web application developers often make common mistakes such as not limiting a cookie's domain to the absolute minimal scope necessary? Yes. Are bugs occasionally found in Internet Explorer relating to cookie security? You bet. But there are so many more important security concerns to consider that preaching this kind of cookie paranoia is just ridiculous.
In short, get an open source browser. Otherwise count on everything you do on the web, whether or not you disable cookies, to be exploitable somehow by some known or soon to be discovered bug.
While you're at it, get an open source operating system, too. Otherwise count on everything you do on your computer to be accessable through some known or soon to be discovered exploit.
I'm not saying open source is safe either, just a whole helluvalot safer. I'm close to as paranoid as they come, but I have no problem with my setting of "accept all cookies" in my Firefox browser or lack of firewall on my FreeBSD workstation. (Oh God, don't even let me get started on the latest 'firewall' snake oil fad. Don't get me wrong, the right kind of firewall serves a purpose at the right place in your network, but when various "personal firewall for Windows" products are being touted as the answer to all your security woes, and selling like hotcakes, you have to wonder about the inharent flaws in how the whole situation is being approached. Darn it, I went and did get started.)