CS 155

Spring 2013

Web Session Management

Dan Boneh

Same origin policy:

high level

Review: Same Origin Policy (SOP) for DOM:

n

Origin A can access origin Bs DOM if match on

(scheme, domain, port)

Today: Same Original Policy (SOP) for cookies:
n

Generally speaking, based on:

([scheme], domain, path)

optional

scheme://domain:port/path?params

Setting/deleting cookies by server

Browser GET

HTTP Header: Set-cookie: NAME=VALUE ; domain = (when to send) ; scope if expires=NULL: path = (when to send) this session only secure = (only send over SSL); expires = (when expires) ; HttpOnly

Server

Delete cookie by setting expires to date in past Default scope is domain and path of setting URL

Scope setting rules

(write SOP)

domain: any domain-suffix of URL-hostname, except TLD example: host = login.site.com allowed domains login.site.com .site.com disallowed domains user.site.com othersite.com .com

login.site.com can set cookies for all of .site.com but not for another site or TLD Problematic for sites like .stanford.edu path: can be set to anything

Cookies are identified by (name,domain,path)

cookie 1 name = userid value = test domain = login.site.com path = / secure cookie 2 name = userid value = test123 domain = .site.com path = / secure

distinct cookies

" Both cookies stored in browsers cookie jar;

both are in scope of login.site.com

Reading cookies on server

Browser GET //URL-domain/URL-path Cookie: NAME = VALUE

(read SOP)

Server

Browser sends all cookies in URL scope:

cookie-domain is domain-suffix of URL-domain, and cookie-path is prefix of URL-path, and [protocol=HTTPS if cookie is secure]
Goal: server only sees cookies in its scope

Examples
both set by login.site.com

cookie 1 name = userid value = u1 domain = login.site.com path = / secure http://checkout.site.com/ http://login.site.com/ https://login.site.com/

cookie 2 name = userid value = u2 domain = .site.com path = / non-secure

cookie: userid=u2 cookie: userid=u2 cookie: userid=u1; userid=u2

(arbitrary order)

Client side read/write:

document.cookie

" Setting a cookie in Javascript:

document.cookie = name=value; expires=;

" Reading a cookie: alert(document.cookie)

prints string containing all cookies available for document (based on [protocol], domain, path)

" Deleting a cookie:

document.cookie = name=; expires= Thu, 01-Jan-70

document.cookie often used to customize page in Javascript

Javascript URL

javascript: alert(document.cookie)

Displays all cookies for current document

Viewing/deleting cookies in Browser UI

Cookie protocol problems

Server is blind: n Does not see cookie attributes (e.g. secure) n Does not see which domain set the cookie

Server only sees:

Cookie: NAME=VALUE

Example 1: login server problems

Alice logs in at
login.site.com login.site.com sets session-id cookie for .site.com

Alice visits evil.site.com

overwrites .site.com session-id cookie with session-id of user badguy

Alice visits cs155.site.com

to submit homework. cs155.site.com thinks it is talking to badguy

Problem: cs155 expects session-id from login.site.com; cannot tell that session-id cookie was overwritten

Example 2: secure cookies are not secure

" Alice logs in at
https://www.google.com/accounts

" Alice visits

n

http://www.google.com (cleartext) Network attacker can inject into response Set-Cookie: LSID=badguy; secure and overwrite secure cookie

" Problem: network attacker can re-write HTTPS cookies !

HTTPS cookie value cannot be trusted

Interaction with the DOM SOP

Cookie SOP: x.com/A path separation does not see cookies of x.com/B

Not a security measure: DOM SOP: x.com/A has access to DOM of x.com/B Path separation is done for efficiency not security: x.com/A is only sent the cookies it needs <iframe src=x.com/B"></iframe> alert(frames[0].document.cookie);

Cookies have no integrity !!

Storing security data on browser?

User can change and delete cookie values !!

Edit cookie file (FF3: cookies.sqlite) Modify Cookie header (FF: TamperData extension)

Silly example: shopping cart software

Set-cookie: shopping-cart-total = 150 ($)

User edits cookie file (cookie poisoning):

Cookie: shopping-cart-total = 15 ($) Similar to problem with hidden fields
<INPUT TYPE=hidden NAME=price VALUE=150>
16

Historical problems
" " " " " " " " " " " " " "
Source:

(circa 2000)

D3.COM Pty Ltd: ShopFactory 5.8 @Retail Corporation: @Retail Adgrafix: Check It Out Baron Consulting Group: WebSite Tool ComCity Corporation: SalesCart Crested Butte Software: EasyCart Dansie.net: Dansie Shopping Cart Intelligent Vending Systems: Intellivend Make-a-Store: Make-a-Store OrderPage McMurtrey/Whitaker & Associates: Cart32 3.0 pknutsen@nethut.no: CartMan 1.04 Rich Media Technologies: JustAddCommerce 5.0 SmartCart: SmartCart Web Express: Shoptron 1.2
http://xforce.iss.net/xforce/xfdb/4621
17

Solution: cryptographic checksums

Goal: data integrity Requires secret key k unknown to browser
Generate tag: T F(k, value) Browser Set-Cookie: NAME= Cookie: NAME = value value T
?

Server

Verify tag: T = F(k, value) value should also contain data to prevent cookie replay and swap

Example:
n n

.NET 2.0

System.Web.Configuration.MachineKey
Secret web server key intended for cookie protection Stored on all web servers in site Creating an encrypted cookie with integrity:

HttpCookie cookie = new HttpCookie(name, val);

HttpCookie encodedCookie = HttpSecureCookie.Encode (cookie);

Decrypting and validating an encrypted cookie:

HttpSecureCookie.Decode (cookie);
19

Session managemnt

Sessions
" A sequence of requests and responses from
one browser to one (or more) sites n Session can be long (Gmail) or short
n

without session mgmt: users would have to constantly re-authenticate

" Session mgmt:

n n

Authorize user once; All subsequent requests are bound to user

Pre-history: HTTP auth

HTTP request: GET /index.html HTTP response contains: WWW-Authenticate: Basic realm="Password Required

Browsers sends hashed password on all subsequent HTTP requests: Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ=

HTTP auth problems

" Hardly used in commercial sites
n

User cannot log out other than by closing browser w What if user has multiple accounts? w What if multiple users on same computer? Site cannot customize password dialog Confusing dialog to users Easily spoofed Defeated using a TRACE HTTP request
(on old browsers)

n n

Session tokens
Browser GET /index.html set anonymous session token GET /books.html anonymous session token POST /do-login Username & password elevate to a logged-in session token POST /checkout logged-in session token check credentials (later) Web Site

Validate token

Storing session tokens:

Lots of options (but none are perfect)
Browser cookie:
Set-Cookie: SessionToken=fduhye63sfdb

Embedd in all URL links:

https://site.com/checkout ? SessionToken=kh7y3b

In a hidden form field:

<input type=hidden value=kh7y3b>
Window.name DOM property

name=sessionid

Storing session tokens: problems

Browser cookie:
browser sends cookie with every request, even when it should not (CSRF)

Embed in all URL links:

token leaks via HTTP Referer header

In a hidden form field:

short sessions only

Best answer: a combination of all of the above.

The HTTP referer header

Referer leaks URL session token to 3rd parties

SESSION HIJACKING
Attacker waits for user to login; then attacker obtains users Session Token and hijacks session

1.

Predictable tokens

" Example:

counter (Verizon Wireless) user logs in, gets counter value, can view sessions of other users weak MAC (WSJ) token = {userid, MACk(userid) } Weak MAC exposes k from few cookies.

" Example:
n n

Session tokens must be unpredicatble to attacker: " Apache Tomcat: generateSessionID()

n

Use underlying MD5(PRG) framework. but weak PRG [GM05]. n Predictable SessionID s Rails: token = MD5( current time, random nonce )

2. Cookie theft
" Example 1:
n n

login over SSL, but subsequent HTTP

What happens at wireless Caf ? (e.g. Firesheep) Other reasons why session token sent in the clear: w HTTPS/HTTP mixed content pages at site w Man-in-the-middle attacks on SSL Cross Site Scripting (XSS) exploits

" Example 2:

" Amplified by poor logout procedures:

n

Logout must invalidate token on server

Session fixation attacks

" Suppose attacker can set the users session token:
n n

For URL tokens, trick user into clicking on URL For cookie tokens, set using XSS exploits (say, using URL tokens)

" Attack:
1. 2. 3.

Attacker gets anonymous session token for site.com Sends URL to user with attackers session token User clicks on URL and logs into site.com w this elevates attackers token to logged-in token Attacker uses elevated token to hijack users session.

4.

Session fixation: lesson

When elevating user from anonymous to logged-in, always issue a new session token

Once user logs in, token changes and is unknown to attacker Attackers token is not elevated.

In the limit: assign new SessionToken after every request

Revoke session if a replay is detected.

Generating session tokens

Goal: prevent hijacking and avoid fixation

Option 1: minimal client-side state

" SessionToken = [random unpredictable string]
(no data embedded in token)

Server stores all data associated to SessionToken: userid, login-status, login-time, etc.

" Can result in server overhead:

n

When multiple web servers at site, lots of database lookups to retrieve user state.

Option 2: lots of client-side state

SessionToken:
SID = [ userID, exp. time, data] where data = (capabilities, user data, ...) SessionToken = Enc-then-MAC (k, SID)
(as in CS255)

k: key known to all web servers in site.

" Server must still maintain some user state:

e.g.

logout status

(should be checked on every request)

Note that nothing binds SID to clients machine

Binding SessionToken to clients computer; mitigating cookie theft

approach: embed machine specific data in SID

" Client IP Address:

n n

Will make it harder to use token at another machine But honest client may change IP addr during session w client will be logged out for no reason.

" Client user agent:

n

A weak defense against theft, but doesnt hurt.

" SSL session key:

n

Same problem as IP address

(and even worse)

The Logout Process

Web sites provide a logout function: Functionality: let user to login as different user Security: prevent other from abusing account What happens during logout: 1. Delete SessionToken from client 2. Mark session token as expired on server Problem: many web sites do (1) but not (2) !!

Enables persistent attack on sites that do

login over HTTPS, but use over HTTP

Sites with Improper Logout

health.google.com healthvault.com Linkedin Yahoo Hotmail/MSN blogger.com Ebay Flicker wordpress.com IMDB ask.com cnn.com conduit.com megaupload.com mediafire.com 4shared.com cnet.com weather.com imageshack.com OpenMR View and edit record View and edit health record Editing and saving profile Accessing and sending emails Accessing and sending emails Posting a blog post Bidding on an auction Uploading photos Posting a blog post Editing and saving profile Editing and saving profile Editing and saving profile Editing and saving profile Uploading files Uploading files Uploading files Editing and saving profile Editing and saving profile Uploading photos Accessing, changing medical records

THE END