CAPEC-31 - Accessing/Intercepting/Modifying HTTP Cookies

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems.

The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein.

The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session.

The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 4
  • Modification of Resources
  • API Abuse
  • Protocol Manipulation
  • Time and State
  • Purposes 1
  • Exploitation
  • Scopes 3
  • Read application data
  • Confidentiality
  • Modify application data
  • Integrity
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: To overwrite session cookie data, and submit targeted attacks via HTTP

High level: Exploiting a remote buffer overflow generated by attack

Target server software must be a HTTP daemon that relies on cookies.

Ability to send HTTP request containing cookie to server

Step 1 - Obtain copy of cookie

The attacker first needs to obtain a copy of the cookie. The attacker may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies..

Tecnique ID: 1 - Environment(s) env-Web

Obtain cookie from local filesystem (e.g. C:\Documents and Settings\*\Cookies and C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.txt in Windows)

Tecnique ID: 2 - Environment(s) env-Web

Sniff cookie using a network sniffer such as Wireshark

Tecnique ID: 3 - Environment(s) env-Web

Obtain cookie from local memory or filesystem using a utility such as the Firefox Cookie Manager or AnEC Cookie Editor.

Tecnique ID: 4 - Environment(s) env-Web

Steal cookie via a cross-site scripting attack.

Tecnique ID: 5 - Environment(s) env-Web

Guess cookie contents if it contains predictable information.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

Cookies used in web application.

Indicator ID: 2 - Environment(s) env-Web

Type: Negative

Cookies not used in web application.


Security Control ID: 1

Type: Preventative

To prevent network sniffing, cookies should be transmitted over HTTPS and not plain HTTP. To enforce this on the client side, the "secure" flag should be set on cookies (javax.servlet.http.Cookie.setSecure() in Java, secure flag in setcookie() function in php, etc.).


Outcome ID: 1

Type: Success

Cookie captured by attacker.

Outcome ID: 2

Type: Failure

Cookie cannot be captured by attacker.



Step 1 - Obtain sensitive information from cookie

The attacker may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them..

Tecnique ID: 1 - Environment(s) env-Web

If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.

Tecnique ID: 2 - Environment(s) env-Web

Analyze the cookie's contents to determine whether it contains any sensitive information.

Indicator ID: 1 - Environment(s) env-Web

Type: Negative

Cookie only contains a random session ID (e.g. ASPSESSIONID, JSESSIONID, etc.)

Indicator ID: 2 - Environment(s) env-Web

Type: Positive

Cookie contains sensitive information (e.g. "ACCTNO=0234234", or "DBIP=0xaf112a22" -- database server's IP address).

Indicator ID: 3 - Environment(s) env-Web

Type: Inconclusive

Cookie's contents cannot be deciphered.


Security Control ID: 3

Type: Preventative

Do not store sensitive information in cookies unless they are encrypted such that only the server can decrypt them.


Outcome ID: 1

Type: Success

Cookie contains sensitive information that developer did not intent the end user to see.

Outcome ID: 2

Type: Failure

Cookie does not contain any sensitive information.


Step 2 - Modify cookie to subvert security controls.

The attacker may be able to modify or replace cookies to bypass security controls in the application..

Tecnique ID: 1 - Environment(s) env-Web

Modify logical parts of cookie and send it back to server to observe the effects.

Tecnique ID: 2 - Environment(s) env-Web

Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.

Tecnique ID: 3 - Environment(s) env-Web

Modify cookie bitwise and send it back to server to observe the effects.

Tecnique ID: 4 - Environment(s) env-Web

Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend his points and then replace his cookie with an older one to restore his balance.

Security Control ID: 1

Type: Detective

Web server logs contain many messages indicating that invalid cookies were received from client.

Security Control ID: 2

Type: Preventative

Cookies should not contain any information that the user is not allowed to modify, unless that information is never expected to change. In the latter case, the integrity of the cookie should be protected using a digital signature or a message authentication code.


Outcome ID: 1

Type: Success

Subversion of security controls on server

Outcome ID: 2

Type: Failure

Cookie reset by server



Design: Use input validation for cookies

Design: Generate and validate MAC for cookies

Implementation: Use SSL/TLS to protect cookie in transit

Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.