Accessing/Intercepting/Modifying HTTP Cookies |
Attack Pattern ID: 31 (Detailed Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems.
The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein.
The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session.
The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.
Attack Execution Flow
Obtain copy of cookie:
The attacker first needs to obtain a copy of the cookie. The attacker may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Obtain cookie from local filesystem (e.g. C:\Documents and Settings\*\Cookies and C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.txt in Windows)
env-Web2 Sniff cookie using a network sniffer such as Wireshark
env-Web3 Obtain cookie from local memory or filesystem using a utility such as the Firefox Cookie Manager or AnEC Cookie Editor.
env-Web4 Steal cookie via a cross-site scripting attack.
env-Web5 Guess cookie contents if it contains predictable information.
env-WebIndicators
ID type Indicator Description Environments 1 Positive Cookies used in web application.
env-Web2 Negative Cookies not used in web application.
env-WebOutcomes
ID type Outcome Description 1 Success Cookie captured by attacker.2 Failure Cookie cannot be captured by attacker.Security Controls
ID type Security Control Description 1 Preventative To prevent network sniffing, cookies should be transmitted over HTTPS and not plain HTTP. To enforce this on the client side, the "secure" flag should be set on cookies (javax.servlet.http.Cookie.setSecure() in Java, secure flag in setcookie() function in php, etc.).
Obtain sensitive information from cookie:
The attacker may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.
env-Web2 Analyze the cookie's contents to determine whether it contains any sensitive information.
env-WebIndicators
ID type Indicator Description Environments 1 Negative Cookie only contains a random session ID (e.g. ASPSESSIONID, JSESSIONID, etc.)
env-Web2 Positive Cookie contains sensitive information (e.g. "ACCTNO=0234234", or "DBIP=0xaf112a22" -- database server's IP address).
env-Web3 Inconclusive Cookie's contents cannot be deciphered.
env-WebOutcomes
ID type Outcome Description 1 Success Cookie contains sensitive information that developer did not intent the end user to see.2 Failure Cookie does not contain any sensitive information.Security Controls
ID type Security Control Description 3 Preventative Do not store sensitive information in cookies unless they are encrypted such that only the server can decrypt them.Modify cookie to subvert security controls.:
The attacker may be able to modify or replace cookies to bypass security controls in the application.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Modify logical parts of cookie and send it back to server to observe the effects.
env-Web2 Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.
env-Web3 Modify cookie bitwise and send it back to server to observe the effects.
env-Web4 Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend his points and then replace his cookie with an older one to restore his balance.
env-WebOutcomes
ID type Outcome Description 1 Success Subversion of security controls on server2 Failure Cookie reset by serverSecurity Controls
ID type Security Control Description 1 Detective Web server logs contain many messages indicating that invalid cookies were received from client.2 Preventative Cookies should not contain any information that the user is not allowed to modify, unless that information is never expected to change. In the latter case, the integrity of the cookie should be protected using a digital signature or a message authentication code.
Description
There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phising. In addition, the man in the middle attack relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the attacker to accomplish if no other protection mechanisms are in place.
Skill or Knowledge Level: Low
To overwrite session cookie data, and submit targeted attacks via HTTP
High: Exploiting a remote buffer overflow generated by attack
Design: Use input validation for cookies
Design: Generate and validate MAC for cookies
Implementation: Use SSL/TLS to protect cookie in transit
Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.
1. Enables attacker to leverage state stored in cookie
2. Enables attacker a vector to attack web server and platform
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
565 | Reliance on Cookies without Validation and Integrity Checking | Targeted |
302 | Authentication Bypass by Assumed-Immutable Data | Targeted |
311 | Missing SecurityDatabase\Encrypt\Encryption of Sensitive Data | Targeted |
113 | Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | Targeted |
539 | Information Leak Through Persistent Cookies | Targeted |
20 | Improper Input Validation | Targeted |
315 | Plaintext Storage in a Cookie | Targeted |
384 | Session Fixation | Targeted |
472 | External Control of Assumed-Immutable Web Parameter | Secondary |
724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Targeted |
602 | Client-Side Enforcement of Server-Side Security | Targeted |
642 | External Control of Critical State Data | Targeted |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 21 | Exploitation of Session Variables, Resource IDs and other Trusted Credentials | Mechanism of Attack (primary)1000 | |
ChildOf | Attack Pattern | 39 | Manipulating Opaque Client-based Data Tokens | Mechanism of Attack1000 | |
ChildOf | Attack Pattern | 117 | Data Interception Attacks | Mechanism of Attack (primary)1000 | |
ChildOf | Category | 255 | Data Structure Attacks | Mechanism of Attack (primary)1000 | |
ChildOf | Category | 262 | Resource Manipulation | Mechanism of Attack (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | ||
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | ||
Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name and Description | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | ||
Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |