DanBoneh

Web Security: Session Management

CS155

DanBoneh

Sameoriginpolicy:reviewReview:SameOriginPolicy(SOP)forDOM:

–OriginAcanaccessoriginB’sDOMifmatchon(scheme,domain,port)

Thislecture:SameOriginalPolicy(SOP)forcookies:

– Basedon:([scheme], domain,path)

optional

scheme://domain:port/path?params

DanBoneh

scope

Setting/deleting cookies by server

Default scope is domain and path of setting URL

Browser ServerGET …

HTTP Header:Set-cookie: NAME=VALUE ;

domain = (when to send) ;path = (when to send)secure = (only send over SSL);expires = (when expires) ;HttpOnlySameSite = [lax | strict]

ifexpires=NULL:thissessiononly

ifexpires=pastdate:browserdeletescookie

weakXSSdefense

weakCSRFdefense

DanBoneh

Scope setting rules (write SOP)

domain:anydomain-suffixofURL-hostname,exceptTLD

example:host=“login.site.com”

• login.site.com cansetcookiesforallof.site.com butnotforanothersiteorTLD

Problematicforsiteslike.stanford.edu (andsomehostingcenters)

path:canbesettoanything

allowed domainslogin.site.com

.site.com

disallowed domainsother.site.comothersite.com

.com

DanBoneh

Cookies are identified by (name,domain,path)

Both cookies stored in browser’s cookie jarboth are in scope of login.site.com

cookie 1name = useridvalue = testdomain = login.site.compath = /secure

cookie 2name = useridvalue = test123domain = .site.compath = /secure

distinctcookies

DanBoneh

Reading cookies on server (read SOP)

BrowsersendsallcookiesinURLscope:

• cookie-domainisdomain-suffixofURL-domain,and

• cookie-pathisprefixofURL-path,and

• [protocol=HTTPSifcookieis“secure”]

Goal:serveronlyseescookiesinitsscope

Browser ServerGET//URL-domain/URL-pathCookie:NAME=VALUE

DanBoneh

Examples

http://checkout.site.com/http://login.site.com/https://login.site.com/

cookie1name=useridvalue=u1domain=login.site.compath=/secure

cookie2name=useridvalue=u2domain=.site.compath=/non-secure

both set by login.site.com

cookie:userid=u2cookie:userid=u2cookie:userid=u1;userid=u2

DanBoneh

Clientsideread/write:document.cookieSettingacookieinJavascript:

document.cookie=“name=value;expires=…;”

Readingacookie: alert(document.cookie)prints stringcontainingallcookiesavailablefordocument(basedon[protocol],domain,path)

Deletingacookie:document.cookie=“name=;expires=Thu,01-Jan-70”

HttpOnly cookies:notincludedindocument.cookie

DanBoneh

javascript: alert(document.cookie)

Javascript URL

Displays all cookies for current document

DanBoneh

Viewing/deleting cookies in Browser UI

DanBoneh

Cookieprotocolproblems

DanBoneh

Cookie protocol problemsServerisblind:

– Doesnotseecookieattributes(e.g.secure,HttpOnly)– Doesnotseewhichdomainsetthecookie

Serveronlysees: Cookie:NAME=VALUE

DanBoneh

Example 1: login server problems1. Alicelogsinatlogin.site.com

login.site.com setssession-idcookiefor.site.com

2.Alicevisitsevil.site.comoverwrites.site.com session-idcookiewithsession-idofuser“badguy”

3.Alicevisitscourse.site.com tosubmithomeworkcourse.site.com thinksitistalkingto“badguy”

Problem:course.site.com expectssession-idfromlogin.site.com;cannottellthatsession-idcookiewasoverwritten

DanBoneh

Example 2: “secure” cookies are not secureAlicelogsinathttps://accounts.google.com

Alicevisitshttp://www.google.com (cleartext)• Networkattackercaninjectintoresponse

Set-Cookie:SSID=badguy;secureandoverwritesecurecookie

Problem:networkattackercanre-writeHTTPScookies!• HTTPScookievaluecannotbetrusted

set-cookie:SSID=A7_ESAgDpKYk5TGnf;Domain=.google.com;Path=/;Expires=Wed,09-Mar-202618:35:11GMT;Secure;HttpOnly

set-cookie:SAPISID=wj1gYKLFy-RmWybP/ANtKMtPIHNambvdI4; Domain=.google.com;Path=/;Expires=Wed,09-Mar-202618:35:11GMT;Secure

DanBoneh

Interaction with the DOM SOPCookieSOPpathseparation:

x.com/A doesnotseecookiesofx.com/B

Notasecuritymeasure:x.com/A hasaccesstoDOMofx.com/B

<iframe src=“x.com/B"></iframe>

alert(frames[0].document.cookie);

Pathseparationisdoneforefficiencynotsecurity:x.com/Aisonlysentthecookiesitneeds

DanBoneh

Cookies have no integrityUsercanchangeanddeletecookievalues

• Editcookiedatabase(FF:cookies.sqlite)• ModifyCookieheader(FF:TamperData extension)

Sillyexample:shoppingcartsoftwareSet-cookie: shopping-cart-total=150 ($)

Usereditscookiefile(cookiepoisoning):Cookie: shopping-cart-total=15 ($)

Similarproblemwithhiddenfields<INPUTTYPE=“hidden”NAME=priceVALUE=“150”>

16

DanBoneh17

Not so silly … (old)

• D3.COM Pty Ltd: ShopFactory 5.8• @Retail Corporation: @Retail• Adgrafix: Check It Out• Baron Consulting Group: WebSite Tool • ComCity Corporation: SalesCart• Crested Butte Software: EasyCart• Dansie.net: Dansie Shopping Cart• Intelligent Vending Systems: Intellivend• Make-a-Store: Make-a-Store OrderPage• McMurtrey/Whitaker & Associates: Cart32 3.0 • pknutsen@nethut.no: CartMan 1.04 • Rich Media Technologies: JustAddCommerce 5.0 • SmartCart: SmartCart• Web Express: Shoptron 1.2

Source:http://xforce.iss.net/xforce/xfdb/4621

DanBoneh

Solution: cryptographic checksums

Bindingtosession-id(SID)makesithardertoreplayoldcookies

Goal:dataintegrityRequiresserver-sidesecretkeykunknowntobrowser

Browser Server kSet-Cookie:NAME= value T

Cookie:NAME= value T

Generate tag: T ⟵ MACsign(k, SID ll name ll value )

Verify tag: MACverify(k, SID ll name ll value, T)

DanBoneh19

Example: ASP.NETSystem.Web.Configuration.MachineKey

– Secretwebserverkeyintendedforcookieprotection

Creatinganencryptedcookiewithintegrity:

HttpCookie cookie =new HttpCookie(name, val);HttpCookie encodedCookie=

HttpSecureCookie.Encode (cookie);

Decryptingandvalidatinganencryptedcookie:

HttpSecureCookie.Decode (cookie);

DanBoneh

SessionManagement

DanBoneh

SessionsAsequenceofrequestsandresponsesfromonebrowsertoone(ormore)sites

– Sessioncanbelong(e.g.Gmail)orshort– withoutsessionmgmt:

userswouldhavetoconstantlyre-authenticate

Sessionmgmt:authorizeuseronce;– Allsubsequentrequestsaretiedtouser

DanBoneh

Pre-history: HTTP authHTTP request: GET /index.htmlHTTP response contains:

WWW-Authenticate: Basic realm="Password Required“

Browsers sends hashed password on all subsequent HTTP requests:Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ=

DanBoneh

HTTP auth problemsHardlyusedincommercialsites:

• Usercannotlogoutotherthanbyclosingbrowser– Whatifuserhasmultipleaccounts?multipleusersonsamemachine?

• Sitecannotcustomizepassworddialog

• Confusingdialogtousers

• Easilyspoofed

DanBoneh

Session tokensBrowser

GET/index.html

setanonymoussessiontoken

GET/books.htmlanonymoussessiontoken

POST/do-loginUsername&password

elevatetoalogged-insessiontoken

POST/checkoutlogged-insessiontoken

checkcredentials(crypto)

Validatetoken

website

DanBoneh

Storing session tokens: Lots of options (but none are perfect)

Browsercookie:Set-Cookie:SessionToken=fduhye63sfdb

EmbedinallURLlinks:https://site.com/checkout?SessionToken=kh7y3b

Inahiddenformfield:<inputtype=“hidden”name=“sessionid” value=“kh7y3b”>

DanBoneh

Storing session tokens: problemsBrowsercookie:browsersendscookiewitheveryrequest,

evenwhenitshouldnot(CSRF)

EmbedinallURLlinks:tokenleaksviaHTTPReferer header

Inahiddenformfield:doesnotworkforlong-livedsessions

Bestanswer:acombinationofalloftheabove.

(orifuserpostsURLinapublicblog)

DanBoneh

The HTTP referer header

Referer leaksURLsessiontokento3rd parties

Referer supression:• notsentwhenHTTPSsitereferstoanHTTPsite• inHTML5:<a rel=”noreferrer” href=www.example.com>

DanBoneh

The Logout ProcessWebsitesmustprovidealogoutfunction:• Functionality:letusertologinasdifferentuser• Security:preventothersfromabusingaccount

Whathappensduringlogout:1.DeleteSessionToken fromclient2.Marksessiontokenasexpiredonserver

Problem:manywebsitesdo(1)butnot(2)!!⇒ EspeciallyriskyforsiteswhofallbacktoHTTPafterlogin

DanBoneh

Sessionhijacking

DanBoneh

SessionhijackingAttackerwaitsforusertologin

thenattackerstealsuser’sSessionTokenand“hijacks” session

⇒ attackercanissuearbitraryrequestsonbehalfofuser

Example:FireSheep [2010]

FirefoxextensionthathijacksFacebooksessiontokensoverWiFi.Solution:HTTPSafterlogin

DanBoneh

Beware: Predictable tokensExample1: counter

⇒ userlogsin,getscountervalue,canviewsessionsofotherusers

Example2:weakMAC.token={ userid,MACk(userid)}• WeakMACexposes k fromfewcookies.

ApacheTomcat:generateSessionId()• ReturnsrandomsessionID[serverretrievesclientstatebasedonsess-id]

DanBoneh

Sessiontokensmustbeunpredictabletoattacker

Togenerate:useunderlyingframework(e.g.ASP,Tomcat,Rails)

Rails:token=MD5(currenttime,randomnonce )

DanBoneh

Beware:SessiontokentheftExample1:loginoverHTTPS,butsubsequentHTTP• EnablescookietheftatwirelessCafé (e.g.Firesheep)• Otherwaysnetworkattackercanstealtoken:

– SitehasmixedHTTPS/HTTPpages⇒ tokensentoverHTTP– Man-in-the-middleattacksonSSL

Example2:CrossSiteScripting(XSS)exploits

Amplifiedbypoorlogoutprocedures:– Logoutmustinvalidatetokenonserver

DanBoneh

Mitigating SessionToken theft by binding SessionToken to client’s computer

ClientIPaddr:makesithardertousetokenatanothermachine– ButhonestclientmaychangeIPaddr duringsession

• clientwillbeloggedoutfornoreason.

Clientuseragent: weakdefenseagainsttheft,butdoesn’thurt.

SSLsessionid:sameproblemasIPaddress(andevenworse)

Acommonidea:embedmachinespecificdatainSID

DanBoneh

SessionfixationattacksSupposeattackercansettheuser’ssessiontoken:• ForURLtokens,trickuserintoclickingonURL• Forcookietokens,setusingXSSexploits

Attack:(say,usingURLtokens)

1. Attackergetsanonymoussessiontokenforsite.com

2. SendsURLtouserwithattacker’ssessiontoken

3. UserclicksonURLandlogsintosite.com– thiselevatesattacker’stokentologged-intoken

4. Attackeruseselevatedtokentohijackuser’ssession.

DanBoneh

Sessionfixation:lesson

When elevating user from anonymous to logged-in:

always issue a new session token

After login, token changes to value unknown to attacker

⇒ Attacker’s token is not elevated.

DanBoneh

Summary

• Alwaysassumecookiedataretrievedfromclientisadversarial

• Sessiontokensaresplitacrossmultipleclientstatemechanisms:– Cookies,hiddenformfields,URLparameters– Cookiesbythemselvesareinsecure(CSRF,cookieoverwrite)– Sessiontokensmustbeunpredictableandresisttheftbynetworkattacker

• Ensurelogoutinvalidatessessiononserver

DanBoneh

THEEND