SlideShare a Scribd company logo

Defcon 22-david-wyde-client-side-http-cookie-security

Priyanka Aash, profile picture
Priyanka Aash

Cookies stored by web browsers can be easily stolen, as most browsers store them in plaintext. Popular browsers like Firefox store cookies in SQLite databases, Internet Explorer in text files, and Opera and Safari in custom binary formats - all of which can be read easily by tools or code. Chromium encrypts cookies on Windows, Mac, and Linux, but cookies can still be decrypted on Linux. Physical access, social engineering, malware, and other attacks can steal browser cookies. Defenses include disk encryption, application firewalls, SELinux, and a master password for cookies.

Technology
1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Client-Side HTTP Cookie Security: Attack and Defense David Wyde DEF CON 22
Game Plan •  Why are HTTP cookies valuable to attackers? •  How do popular web browsers store cookies? •  How can cookies be stolen? •  How can cookies be protected?
Disclaimers •  The opinions in this presentation are mine, and not my employer’s. •  The security issues I discuss are not specific to any one website, and are not vulnerabilities in the conventional sense.
What is an HTTP Cookie? •  Cookies are transmitted as HTTP headers •  Name-value pairs •  HTTP clients store state using cookies •  E.g., trade credentials for a session cookie
Cookies in Action
User-Readable Data •  Any process that runs as your user can read: •  Your private keys •  Some software saves passwords as plaintext •  Web browser cookies •  Damage is done without privilege escalation
Cookies Are Valuable to Attackers •  Cookies can be more valuable than passwords •  Gmail: bypass two-factor authentication •  Facebook: don't warn of login from a new device •  Counterpoints •  "Please re-enter your password” •  Cookies expire
Gmail: Two-Factor Authentication
Facebook: New Login Email
Browser Cookie Storage
Cookie Storage: Intro •  Almost all browsers store cookies as plaintext •  The HttpOnly and Secure flags apply inside browsers •  Malware need not respect them
Firefox •  Stores cookies in an SQLite database •  Cookies can be read using sqlite3, Python, etc.
Reading Firefox Cookies $ sqlite3 ~/Library/Application Support/Firefox/Profiles/*/cookies.sqlite SQLite version 3.7.13 2012-07-17 17:46:21 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .schema CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement)); CREATE INDEX moz_basedomain ON moz_cookies (baseDomain, appId, inBrowserElement); sqlite> SELECT value FROM moz_cookies WHERE name='GX'; DQAAAPEAAABWYmsr2PFvwQi4XhQWYcw_5coZVfjh-efmKTNeLjyLx04sHi_Ih- xMOsSRaZ6J38QzDGyCt5v6DKYkkoc6TeX8QKuaOPSAqqGTEo4v2Y6kvmzlS-SvdU4zTcuJ- z4uCf7uiZ7Ic- H6U5Mt7leqmsDhQeEoL01z5OF6iLoxUeCHU_91eWrA2bOpU8ppqVjutpi4WVhyqLV7WX6hgSnE kWnpsN-XwcDF84V7u0DrlKCQFupzmCfa3nt_tARY-SxbyNrmY_0rH4YF- xBVvPFXBQpKqUZrW_zMdGmWgmPER_7mBTGXtlh9PM5nCP_bw09oIqXrQb_OhHe7c3AnnIg2EIq g
Internet Explorer •  Stores cookies as text files •  The folder varies depending on IE version •  Filenames are random: need to read the files
Reading Internet Explorer Cookies
Opera and Safari •  Custom binary formats •  Can be parsed by free software tools •  Safari: Cookies.binarycookies •  Opera: cookies4.dat
Reading Safari Cookies $ python ~/Desktop/BinaryCookieReader.py ~/Library/ Cookies/Cookies.binarycookies | grep yahoo Cookie : hpc=d=ItIKgZXDu9Pkv2_sEb7ygoVyN9bHZ2mmjnr8eBC8z9Ynw88Tayw 7ixgQfT4vleMQ56bGUussxMNmYBusbq3RHgXIkea3DhM.Yzckc.y6GAQE iJoPoK1DzyvYg1cyBoMWlZccOkvv7wvPUmDHnNk1uyiJwon3_YjfMMyCX stKdmUKmePy_Wn04tFoVbui1wlLTuSpqTw-&v=2; domain=.www.yahoo.com; path=/; expires=Wed, 15 Jul 2015; Cookie : B=2b26v3t9s955p&b=3&s=oh; domain=.yahoo.com; path=/; expires=Fri, 15 Jul 2016; Cookie : CRZY=%7B%221048616551%22%3A%7B%22expires %22%3A1405564858541%2C%22data%22%3A%7B%22nv%22%3A1%2C %22bn%22%3A0%7D%7D%7D; domain=.yahoo.com; path=/; expires=Thu, 17 Jul 2014;
Reading Opera Cookies $ python opera_reader.py ~/.opera/cookies4.dat file_version_number 4096 app_version_number 8193 idtag_length 1 length_length 2 domain record [('0x1e', 'name of the domain part', 3, 'org')] end of path record domain record [('0x1e', 'name of the domain part', 8, 'slashdot')] cookie record [('0x10', 'name of the cookie', 6, '__gads'), ('0x11', 'value of the cookie', 69, 'ID=2628549bf6c27042:T=1405392507:S=ALNI_Maix2zTTIQ4159AfUM0tH p7h_ODgQ'), ('0x12', 'expiry', 8, '2016-07-13 21:48:27'), ('0x13', 'last used', 8, '2014-07-14 21:49:28'), ('0x28', 'unknown cookie data id', 8, 'x00x00x00x00x00x00x00x00'), ('0xa9', 'unknown cookie data id', 0, '')]
Chromium •  Encrypts cookies in recent versions •  Implementation and security vary by platform •  Stores cookies in an SQLite database •  BLOB field for encrypted cookie values
Chromium on Linux •  Linux has no single standard keyring mechanism •  (KDE, Gnome, etc.) •  Cookies encrypted with AES (symmetric key) •  Hard-coded key and salt •  Can be decrypted on any machine •  Link against Chromium libs, call code to decrypt
Reading Chromium Cookies: Linux
Reading Chromium Cookies: Linux [david@localhost Desktop]$ python chromium_b64_cookie_linux.py djEwXgab42ZPnVqGRirZqEHsvEN8bC/ chT84CbmJxMSJDr6XA7mQLZdCuLwYSNA6srVf7NDn7rHdBOFJf8SX4jdCxlQhcrUGH +0KzFz +hUxUcgRzy6jWEZyAe4QDegh1YGtfdCGiZ2TgHkEifJ0Mojf4VpuKhFw7SVpCzCorz86JF czNpco7LZwM/xng7UPmVEY4sIQwAGlTXoY9ThgaliP8HGviwkK0ozW9/FMUiGaxBIqDD +FSfsGszckv9zRbK8XL2PbHVslRmG2ENQ8wESu2Czajb20BQ+L3dMRvOcVbW+gwt+H/ cBG23dnjnhFxGcvm9DSDyz87o5ssILocgMT+kddTBCG8ohvy7iNE3njT6WOFktK8Hd/ +rhSUarnCtZt9UB1EZtikWbpqn0PKrVCKn0wVpO4oyeDIe96xEesn/IM= david@computer /d/code/snickerdoodle/chromium-linux $ LD_LIBRARY_PATH=/d/code/lib/chromium/src/out/Release/lib ./ base64_reader $(cat fedora-cookie.txt) DQAAANMAAAD55DvOAnmlugeHzwGKs0asFxYtMfXl- Xdg7MtLYmdj5GDI3iyPh70Ds6OKgogfATna2KV9d7JqZxJ5e7SA- sbH1oxvQFs1WsFo_9WzEfj9VamEV5C0uml6tVuzhIGzrrKM0__0SI6QANb-y- qyM3QJSKCB7QrXR_Ug7lFzjibDW7Fsfg15SUCTmfQz9YLBP4oYSOt_pJRVf5XZgbN_2J- KQzBqtZznZwKVE4TatBaAucT- R9jXnjM5aMdoJvr7ubghi0p1m7yvPevqNNRItPkeB5aV_cPXHKRMjwhAAk6_2w
Chromium on Windows •  CryptProtectData is used to encrypt •  A Windows cryptography API •  Uses login credentials as part of the encryption •  CryptUnprotectData is used to decrypt •  Must be called by the user that encrypted, on the same machine
Chromium on Mac •  Store an encryption key in the system keychain •  If no key exists, a random one is generated •  AES is used to encrypt/decrypt •  Keychain prompts when accessed from unsigned apps
Reading Chromium Cookies: Mac
Browser Cookie Storage: Summary •  Chromium encrypts cookies on Windows and Mac •  Chromium obfuscates cookies on Linux •  Other popular browsers store cookies as plaintext
Attack Vectors
Physical Access •  Cookies are there for the taking with most browsers •  Chromium protects you on Windows and Mac
Social Engineering •  Excel/Word macros •  Malicious executables •  Don't need to install anything - just run once
Malware •  Drop and run an executable to extract cookies •  Metasploit •  Any process that runs as your user •  HTTP POST cookies to a malicious server
Proof of Concept
Proof of Concept: Login
Defenses
Disk Encryption •  Protect against physical access to plaintext cookies
Application Firewalls •  Block/allow (server, port) pairs for each application •  Chromium can access www.google.com on port 443 •  Examples •  Mac: Little Snitch •  Windows: NetLimiter? •  Linux: ?
Little Snitch
SELinux •  Security-Enhanced Linux •  Separate from standard Unix permissions •  Can isolate a user’s applications from each other
Idea: Master Password for Cookies •  Type in a password to decrypt your cookies •  Firefox has this to protect passwords
Firefox: Master Password
Server-Side Defenses •  Tie a session cookie to the login IP •  The cPanel web hosting tool can optionally enforce this •  Kind of annoying in a world of mobile clients •  Warn users, rather than force them to log in again •  “You’ve logged in from X and Y countries this month”
Conclusions •  Cookies should be handled with care •  Client-side cookie security is not a solved problem
References •  Opera reader: https://gist.github.com/gwarser/1324501#file-readcookies-py •  Safari reader: http://www.securitylearn.net/2012/10/27/cookies-binarycookies- reader/ •  Firefox master password: http://kb.mozillazine.org/Master_password •  cPanel cookie IP validation: http://www.cpanelkb.net/cpanel-security-settings-checklist/ •  CryptProtectData (Microsoft documentation): http://msdn.microsoft.com/en-us/library/aa922939.aspx

More Related Content

PDF
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Priyanka Aash
 
PDF
Defcon 22-metacortex-grifter-darkside-of-the-internet
Priyanka Aash
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
PDF
Internal Pentest: from z3r0 to h3r0
marcioalma
 
PDF
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Jakub Kałużny
 
PPTX
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
PDF
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Priyanka Aash
 
Defcon 22-metacortex-grifter-darkside-of-the-internet
Priyanka Aash
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Jakub Kałużny
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 

What's hot (20)

PDF
Web security for developers
Sunny Neo
 
PDF
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
PPTX
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PDF
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
PDF
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
PPTX
Offensive Python for Pentesting
Mike Felch
 
PDF
1000 to 0
Sunny Neo
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
PDF
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PDF
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
PDF
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
PDF
Wi-Fi Hotspot Attacks
Greg Foss
 
PPTX
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
PDF
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
PDF
Attacker's Perspective of Active Directory
Sunny Neo
 
PDF
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch
 
PPTX
Outlook and Exchange for the bad guys
Nick Landers
 
PDF
CNIT 128: Android Implementation Issues (Part 2)
Sam Bowne
 
Web security for developers
Sunny Neo
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
Offensive Python for Pentesting
Mike Felch
 
1000 to 0
Sunny Neo
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Wi-Fi Hotspot Attacks
Greg Foss
 
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Attacker's Perspective of Active Directory
Sunny Neo
 
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch
 
Outlook and Exchange for the bad guys
Nick Landers
 
CNIT 128: Android Implementation Issues (Part 2)
Sam Bowne
 
Ad

Viewers also liked (20)

PDF
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Priyanka Aash
 
PDF
Defcon 22-nir-valtman-a-journey-to-protect-pos
Priyanka Aash
 
PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
PDF
Network Forensics and Practical Packet Analysis
Priyanka Aash
 
PDF
Risk Analysis using open FAIR and Adoption of right Security Controls
Priyanka Aash
 
PPTX
Practical Applications of Block Chain Technologies
Priyanka Aash
 
PDF
Defcon 22-deviant-ollam-and-howard-payne-elevator hacking-fr
Priyanka Aash
 
PDF
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Priyanka Aash
 
PDF
Defcon 22-jesus-molina-learn-how-to-control-every-room
Priyanka Aash
 
PDF
Defcon 22-rmellendick-dakahuna-rf-penetration-testing-your-a
Priyanka Aash
 
PDF
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
PDF
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
PDF
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Priyanka Aash
 
PDF
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Priyanka Aash
 
PDF
Defcon 22-anton-sapozhnikov-acquire-current-user-hashes-with
Priyanka Aash
 
PPTX
Keynote Session : The Non - Evolution of Security
Priyanka Aash
 
PDF
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
PPTX
Keynote Session : Emerging Healthcare Tech & Future Security Impact
Priyanka Aash
 
PDF
Workshop on Endpoint Memory Forensics
Priyanka Aash
 
PDF
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Priyanka Aash
 
Defcon 22-nir-valtman-a-journey-to-protect-pos
Priyanka Aash
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Network Forensics and Practical Packet Analysis
Priyanka Aash
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Priyanka Aash
 
Practical Applications of Block Chain Technologies
Priyanka Aash
 
Defcon 22-deviant-ollam-and-howard-payne-elevator hacking-fr
Priyanka Aash
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Priyanka Aash
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Priyanka Aash
 
Defcon 22-rmellendick-dakahuna-rf-penetration-testing-your-a
Priyanka Aash
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Priyanka Aash
 
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Priyanka Aash
 
Defcon 22-anton-sapozhnikov-acquire-current-user-hashes-with
Priyanka Aash
 
Keynote Session : The Non - Evolution of Security
Priyanka Aash
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
Keynote Session : Emerging Healthcare Tech & Future Security Impact
Priyanka Aash
 
Workshop on Endpoint Memory Forensics
Priyanka Aash
 
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Ad

Similar to Defcon 22-david-wyde-client-side-http-cookie-security (20)

PPTX
Cookies and sessions
Sukrit Gupta
 
PDF
Cookie replay attack unit wise presentation
Nilu Desai
 
PPTX
Overview of Cookies in HTTP - Miran al Mehrab
Cefalo
 
PDF
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
David Johansson
 
PPTX
Cookies: HTTP state management mechanism
Jivan Nepali
 
PPT
Presentation on Internet Cookies
Ritika Barethia
 
PPT
Cookies and sessions
Lena Petsenchuk
 
PPT
Cookies
Creative Secondary School
 
PPTX
Cookie testing
BugRaptors
 
PPTX
Backend Technologies Notes ajef;asnfkndfdsa
itsmepulkitsharma
 
PPTX
Cookies
Mansour027
 
PDF
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
JosephTesta9
 
PPTX
Internet Cookies
anita gouda
 
PPT
16 cookies
Abhijit Gaikwad
 
PPTX
WORKING WITH IN COOKIES JAVA SEMINAR.pptx
nandhini342004
 
PDF
Active Https Cookie Stealing
SecurityTube.Net
 
PPTX
Carla Ollé Vera and Aida Pooladian - Cookies and privacy: What do they do wit...
BOBCATSSS 2017
 
PPT
Internet cookies
Abhi Bhardwaj
 
PPTX
Working with in cookies java seminar.pptx
nandhini342004
 
PPTX
Advance java session 7
Smita B Kumar
 
Cookies and sessions
Sukrit Gupta
 
Cookie replay attack unit wise presentation
Nilu Desai
 
Overview of Cookies in HTTP - Miran al Mehrab
Cefalo
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
David Johansson
 
Cookies: HTTP state management mechanism
Jivan Nepali
 
Presentation on Internet Cookies
Ritika Barethia
 
Cookies and sessions
Lena Petsenchuk
 
Cookies
Creative Secondary School
 
Cookie testing
BugRaptors
 
Backend Technologies Notes ajef;asnfkndfdsa
itsmepulkitsharma
 
Cookies
Mansour027
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
JosephTesta9
 
Internet Cookies
anita gouda
 
16 cookies
Abhijit Gaikwad
 
WORKING WITH IN COOKIES JAVA SEMINAR.pptx
nandhini342004
 
Active Https Cookie Stealing
SecurityTube.Net
 
Carla Ollé Vera and Aida Pooladian - Cookies and privacy: What do they do wit...
BOBCATSSS 2017
 
Internet cookies
Abhi Bhardwaj
 
Working with in cookies java seminar.pptx
nandhini342004
 
Advance java session 7
Smita B Kumar
 

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
KodekX | Application Modernization Development
KodekX
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 

Defcon 22-david-wyde-client-side-http-cookie-security

  • 1. Client-Side HTTP Cookie Security: Attack and Defense David Wyde DEF CON 22
  • 2. Game Plan •  Why are HTTP cookies valuable to attackers? •  How do popular web browsers store cookies? •  How can cookies be stolen? •  How can cookies be protected?
  • 3. Disclaimers •  The opinions in this presentation are mine, and not my employer’s. •  The security issues I discuss are not specific to any one website, and are not vulnerabilities in the conventional sense.
  • 4. What is an HTTP Cookie? •  Cookies are transmitted as HTTP headers •  Name-value pairs •  HTTP clients store state using cookies •  E.g., trade credentials for a session cookie
  • 6. User-Readable Data •  Any process that runs as your user can read: •  Your private keys •  Some software saves passwords as plaintext •  Web browser cookies •  Damage is done without privilege escalation
  • 7. Cookies Are Valuable to Attackers •  Cookies can be more valuable than passwords •  Gmail: bypass two-factor authentication •  Facebook: don't warn of login from a new device •  Counterpoints •  "Please re-enter your password” •  Cookies expire
  • 11. Cookie Storage: Intro •  Almost all browsers store cookies as plaintext •  The HttpOnly and Secure flags apply inside browsers •  Malware need not respect them
  • 12. Firefox •  Stores cookies in an SQLite database •  Cookies can be read using sqlite3, Python, etc.
  • 13. Reading Firefox Cookies $ sqlite3 ~/Library/Application Support/Firefox/Profiles/*/cookies.sqlite SQLite version 3.7.13 2012-07-17 17:46:21 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .schema CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement)); CREATE INDEX moz_basedomain ON moz_cookies (baseDomain, appId, inBrowserElement); sqlite> SELECT value FROM moz_cookies WHERE name='GX'; DQAAAPEAAABWYmsr2PFvwQi4XhQWYcw_5coZVfjh-efmKTNeLjyLx04sHi_Ih- xMOsSRaZ6J38QzDGyCt5v6DKYkkoc6TeX8QKuaOPSAqqGTEo4v2Y6kvmzlS-SvdU4zTcuJ- z4uCf7uiZ7Ic- H6U5Mt7leqmsDhQeEoL01z5OF6iLoxUeCHU_91eWrA2bOpU8ppqVjutpi4WVhyqLV7WX6hgSnE kWnpsN-XwcDF84V7u0DrlKCQFupzmCfa3nt_tARY-SxbyNrmY_0rH4YF- xBVvPFXBQpKqUZrW_zMdGmWgmPER_7mBTGXtlh9PM5nCP_bw09oIqXrQb_OhHe7c3AnnIg2EIq g
  • 14. Internet Explorer •  Stores cookies as text files •  The folder varies depending on IE version •  Filenames are random: need to read the files
  • 16. Opera and Safari •  Custom binary formats •  Can be parsed by free software tools •  Safari: Cookies.binarycookies •  Opera: cookies4.dat
  • 17. Reading Safari Cookies $ python ~/Desktop/BinaryCookieReader.py ~/Library/ Cookies/Cookies.binarycookies | grep yahoo Cookie : hpc=d=ItIKgZXDu9Pkv2_sEb7ygoVyN9bHZ2mmjnr8eBC8z9Ynw88Tayw 7ixgQfT4vleMQ56bGUussxMNmYBusbq3RHgXIkea3DhM.Yzckc.y6GAQE iJoPoK1DzyvYg1cyBoMWlZccOkvv7wvPUmDHnNk1uyiJwon3_YjfMMyCX stKdmUKmePy_Wn04tFoVbui1wlLTuSpqTw-&v=2; domain=.www.yahoo.com; path=/; expires=Wed, 15 Jul 2015; Cookie : B=2b26v3t9s955p&b=3&s=oh; domain=.yahoo.com; path=/; expires=Fri, 15 Jul 2016; Cookie : CRZY=%7B%221048616551%22%3A%7B%22expires %22%3A1405564858541%2C%22data%22%3A%7B%22nv%22%3A1%2C %22bn%22%3A0%7D%7D%7D; domain=.yahoo.com; path=/; expires=Thu, 17 Jul 2014;
  • 18. Reading Opera Cookies $ python opera_reader.py ~/.opera/cookies4.dat file_version_number 4096 app_version_number 8193 idtag_length 1 length_length 2 domain record [('0x1e', 'name of the domain part', 3, 'org')] end of path record domain record [('0x1e', 'name of the domain part', 8, 'slashdot')] cookie record [('0x10', 'name of the cookie', 6, '__gads'), ('0x11', 'value of the cookie', 69, 'ID=2628549bf6c27042:T=1405392507:S=ALNI_Maix2zTTIQ4159AfUM0tH p7h_ODgQ'), ('0x12', 'expiry', 8, '2016-07-13 21:48:27'), ('0x13', 'last used', 8, '2014-07-14 21:49:28'), ('0x28', 'unknown cookie data id', 8, 'x00x00x00x00x00x00x00x00'), ('0xa9', 'unknown cookie data id', 0, '')]
  • 19. Chromium •  Encrypts cookies in recent versions •  Implementation and security vary by platform •  Stores cookies in an SQLite database •  BLOB field for encrypted cookie values
  • 20. Chromium on Linux •  Linux has no single standard keyring mechanism •  (KDE, Gnome, etc.) •  Cookies encrypted with AES (symmetric key) •  Hard-coded key and salt •  Can be decrypted on any machine •  Link against Chromium libs, call code to decrypt
  • 22. Reading Chromium Cookies: Linux [david@localhost Desktop]$ python chromium_b64_cookie_linux.py djEwXgab42ZPnVqGRirZqEHsvEN8bC/ chT84CbmJxMSJDr6XA7mQLZdCuLwYSNA6srVf7NDn7rHdBOFJf8SX4jdCxlQhcrUGH +0KzFz +hUxUcgRzy6jWEZyAe4QDegh1YGtfdCGiZ2TgHkEifJ0Mojf4VpuKhFw7SVpCzCorz86JF czNpco7LZwM/xng7UPmVEY4sIQwAGlTXoY9ThgaliP8HGviwkK0ozW9/FMUiGaxBIqDD +FSfsGszckv9zRbK8XL2PbHVslRmG2ENQ8wESu2Czajb20BQ+L3dMRvOcVbW+gwt+H/ cBG23dnjnhFxGcvm9DSDyz87o5ssILocgMT+kddTBCG8ohvy7iNE3njT6WOFktK8Hd/ +rhSUarnCtZt9UB1EZtikWbpqn0PKrVCKn0wVpO4oyeDIe96xEesn/IM= david@computer /d/code/snickerdoodle/chromium-linux $ LD_LIBRARY_PATH=/d/code/lib/chromium/src/out/Release/lib ./ base64_reader $(cat fedora-cookie.txt) DQAAANMAAAD55DvOAnmlugeHzwGKs0asFxYtMfXl- Xdg7MtLYmdj5GDI3iyPh70Ds6OKgogfATna2KV9d7JqZxJ5e7SA- sbH1oxvQFs1WsFo_9WzEfj9VamEV5C0uml6tVuzhIGzrrKM0__0SI6QANb-y- qyM3QJSKCB7QrXR_Ug7lFzjibDW7Fsfg15SUCTmfQz9YLBP4oYSOt_pJRVf5XZgbN_2J- KQzBqtZznZwKVE4TatBaAucT- R9jXnjM5aMdoJvr7ubghi0p1m7yvPevqNNRItPkeB5aV_cPXHKRMjwhAAk6_2w
  • 23. Chromium on Windows •  CryptProtectData is used to encrypt •  A Windows cryptography API •  Uses login credentials as part of the encryption •  CryptUnprotectData is used to decrypt •  Must be called by the user that encrypted, on the same machine
  • 24. Chromium on Mac •  Store an encryption key in the system keychain •  If no key exists, a random one is generated •  AES is used to encrypt/decrypt •  Keychain prompts when accessed from unsigned apps
  • 26. Browser Cookie Storage: Summary •  Chromium encrypts cookies on Windows and Mac •  Chromium obfuscates cookies on Linux •  Other popular browsers store cookies as plaintext
  • 28. Physical Access •  Cookies are there for the taking with most browsers •  Chromium protects you on Windows and Mac
  • 29. Social Engineering •  Excel/Word macros •  Malicious executables •  Don't need to install anything - just run once
  • 30. Malware •  Drop and run an executable to extract cookies •  Metasploit •  Any process that runs as your user •  HTTP POST cookies to a malicious server
  • 34. Disk Encryption •  Protect against physical access to plaintext cookies
  • 35. Application Firewalls •  Block/allow (server, port) pairs for each application •  Chromium can access www.google.com on port 443 •  Examples •  Mac: Little Snitch •  Windows: NetLimiter? •  Linux: ?
  • 37. SELinux •  Security-Enhanced Linux •  Separate from standard Unix permissions •  Can isolate a user’s applications from each other
  • 38. Idea: Master Password for Cookies •  Type in a password to decrypt your cookies •  Firefox has this to protect passwords
  • 40. Server-Side Defenses •  Tie a session cookie to the login IP •  The cPanel web hosting tool can optionally enforce this •  Kind of annoying in a world of mobile clients •  Warn users, rather than force them to log in again •  “You’ve logged in from X and Y countries this month”
  • 41. Conclusions •  Cookies should be handled with care •  Client-side cookie security is not a solved problem
  • 42. References •  Opera reader: https://gist.github.com/gwarser/1324501#file-readcookies-py •  Safari reader: http://www.securitylearn.net/2012/10/27/cookies-binarycookies- reader/ •  Firefox master password: http://kb.mozillazine.org/Master_password •  cPanel cookie IP validation: http://www.cpanelkb.net/cpanel-security-settings-checklist/ •  CryptProtectData (Microsoft documentation): http://msdn.microsoft.com/en-us/library/aa922939.aspx