Web Security

�Week 2 - DNS, Cookies, Sessions

Old Dominion University

Department of Computer Science

CS 433/533 Fall 2024

Michael L. Nelson <mln@cs.odu.edu>

​

2024-09-02

​

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Resolving hostnames

3

scorpii:/home/mln % nslookup stanford.edu

Server: 127.0.0.53

Address: 127.0.0.53#53

​

Non-authoritative answer:

Name: stanford.edu

Address: 171.67.215.200

​

scorpii:/home/mln % nslookup odu.edu

Server: 127.0.0.53

Address: 127.0.0.53#53

​

Non-authoritative answer:

Name: odu.edu

Address: 128.82.112.29

​

mln2@Michaels-MacBook-Air ~ % nslookup stanford.edu

Server: 2001:578:3f::30

Address: 2001:578:3f::30#53

​

Non-authoritative answer:

Name: stanford.edu

Address: 171.67.215.200

​

mln2@Michaels-MacBook-Air ~ % nslookup odu.edu

Server: 2001:578:3f::30

Address: 2001:578:3f::30#53

​

Non-authoritative answer:

Name: odu.edu

Address: 128.82.112.29

​

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Resolving hostnames

4

scorpii:/home/mln % cd /etc

​

scorpii:/etc % more hosts

127.0.0.1 localhost

172.18.12.33 scorpii.infra.cs.odu.edu scorpii

​

# The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

​

scorpii:/etc % more /etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.

#

# This is a dynamic resolv.conf file for connecting local clients to the

# internal DNS stub resolver of systemd-resolved. This file lists all

# configured search domains.

#

# Run "systemd-resolve --status" to see details about the uplink DNS servers

# currently in use.

#

# Third party programs must not access this file directly, but only through the

# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,

# replace this symlink by a static file or a different symlink.

#

# See man:systemd-resolved.service(8) for details about the supported modes of

# operation for /etc/resolv.conf.

​

nameserver 127.0.0.53

options edns0

search infra.cs.odu.edu cs.odu.edu

​

​

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

On my iPhone

5

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Domain Name System

6

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Domain Name System

7

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Domain Name System

8

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

9

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

10

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

11

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

12

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

13

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

14

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

15

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

16

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

17

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

18

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

19

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Recursive Resolution

20

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Resolution Before HTTP Connections

21

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Resolution Before HTTP Connections

22

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Resolution Before HTTP Connections

23

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Resolution Before HTTP Connections

24

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Resolution Before HTTP Connections

25

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Hijacking

• Attacker changes DNS records of target to point to own IP address
• All site visitors are directed to attacker's web server
• Motivation
• Phishing
• Revenue through ads, cryptocurrency mining, etc.
• How do they do it?

26

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Hijacking

27

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Hijacking

28

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Hijacking

29

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Hijacking

30

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Hijacking

31

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS attacks won’t go away

32

https://securityboulevard.com/2021/01/dns-security-a-never-ending-story/

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS hijack from your ISP

33

I was going to show an example from cox.net (my home provider), but now it seems like they no longer do this?

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS Privacy

• Queries are in plaintext
• ISPs have been known to sell this data
• Pro tip: Consider switching your DNS settings to Cloudflare (1.1.1.1) or another provider with a good privacy policy

34

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

DNS over HTTPS

35

https://developers.cloudflare.com/1.1.1.1/dns-over-https

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

More curl… curl is important...

36

canis:/home/mln % curl -v -I https://www.odu.edu/

* Trying 128.82.112.29...

* TCP_NODELAY set

* Connected to www.odu.edu (128.82.112.29) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

* CAfile: /etc/ssl/certs/ca-certificates.crt

CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server did not agree to a protocol

* Server certificate:

* subject: serialNumber=232982; jurisdictionC=US; jurisdictionST=Virginia; businessCategory=Government Entity; C=US; postalCode=23529; ST=VA; L=Norfolk; street=4600 Elkhorn Ave; O=Old Dominion University; OU=ITS; OU=COMODO EV Multi-Domain SSL; CN=www.odu.edu

* start date: Jun 5 00:00:00 2019 GMT

* expire date: Jun 4 23:59:59 2021 GMT

* subjectAltName: host "www.odu.edu" matched cert's "www.odu.edu"

* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Extended Validation Secure Server CA

* SSL certificate verify ok.

> HEAD / HTTP/1.1

> Host: www.odu.edu

> User-Agent: curl/7.58.0

> Accept: */*

>

< HTTP/1.1 200 OK

HTTP/1.1 200 OK

< Date: Thu, 28 Jan 2021 16:52:04 GMT

Date: Thu, 28 Jan 2021 16:52:04 GMT

< Server: Apache/2.4.6 (Red Hat Enterprise Linux)

Server: Apache/2.4.6 (Red Hat Enterprise Linux)

< Vary: Host

Vary: Host

< Accept-Ranges: bytes

Accept-Ranges: bytes

< Connection: close

Connection: close

< Content-Type: text/html; charset=UTF-8

Content-Type: text/html; charset=UTF-8

< Set-Cookie: BIGipServerWEB_HTTPS_PROD.app~WEB_HTTPS_PROD_pool_campus=rd627o00000000000000000000ffff8052619fo80; path=/; Httponly; Secure

Set-Cookie: BIGipServerWEB_HTTPS_PROD.app~WEB_HTTPS_PROD_pool_campus=rd627o00000000000000000000ffff8052619fo80; path=/; Httponly; Secure

​

<

* Closing connection 0

* TLSv1.2 (OUT), TLS alert, Client hello (1):

TCP

DNS

TLS

HTTP Request

HTTP Response

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

We now have a better definition of what is “the web”

37

https://developer.mozilla.org/en-US/docs/Web/HTTP/Overview

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

HTTP Proxies

• Can cache content
• Can block content (e.g., malware, adult content)
• Can modify content
• Can sit in front of many servers ("reverse proxy")

​

38

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

HTTP with a proxy server

39

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

HTTP with a proxy server

40

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

HTTP with a proxy server

41

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

HTTP with a proxy server

42

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Web stack

43

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

44

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

45

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

46

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

47

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

48

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

49

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

50

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

51

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Putting it together

52

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

HTTP is stateless

53

each of these requests is independent of the previous one;

by default, the server doesn’t remember

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Cookies

54

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Why “cookies”?

55

https://en.wikipedia.org/wiki/Magic_cookie

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Real world opaque data structures

56

https://www.investopedia.com/terms/c/creditcard.asp

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Cookies in the wild

57

% curl -I https://www.odu.edu/

HTTP/1.1 200 OK

Date: Thu, 28 Jan 2021 04:30:58 GMT

Server: Apache/2.4.6 (Red Hat Enterprise Linux)

Vary: Host

Accept-Ranges: bytes

Connection: close

Content-Type: text/html; charset=UTF-8

Set-Cookie: BIGipServerWEB_HTTPS_PROD.app~WEB_HTTPS_PROD_pool_int=rd741o00000000000000000000ffff8052619eo80; path=/; Httponly; Secure

% curl -I https://www.google.com/

HTTP/2 200

content-type: text/html; charset=ISO-8859-1

p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."

date: Thu, 28 Jan 2021 04:34:47 GMT

server: gws

x-xss-protection: 0

x-frame-options: SAMEORIGIN

expires: Thu, 28 Jan 2021 04:34:47 GMT

cache-control: private

set-cookie: 1P_JAR=2021-01-28-04; expires=Sat, 27-Feb-2021 04:34:47 GMT; path=/; domain=.google.com; Secure

set-cookie: NID=208=cOFUezC7N6Pxds_6eh3UEYUw17ON0B78ja0GYq8ZIGvg8dqlfuS1NZS5kCJK0QEtciSRWceu0ZFPHS7WMd-2xcKsF_3BWgdOUcKBGNW9mcwH6_1WWnaoTY4k-ugIG_JzvtQCSMr5Naonq-gkTf6KCmYuy_AwJenAiEN89KNC-TY; expires=Fri, 30-Jul-2021 04:34:47 GMT; path=/; domain=.google.com; HttpOnly

alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

​

​

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Cookies are opaque: don’t parse them, just send them back

58

% curl -I https://www.google.com/

HTTP/2 200

content-type: text/html; charset=ISO-8859-1

p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."

date: Thu, 28 Jan 2021 04:48:50 GMT

server: gws

x-xss-protection: 0

x-frame-options: SAMEORIGIN

expires: Thu, 28 Jan 2021 04:48:50 GMT

cache-control: private

set-cookie: 1P_JAR=2021-01-28-04; expires=Sat, 27-Feb-2021 04:48:50 GMT; path=/; domain=.google.com; Secure

set-cookie: NID=208=FZPAg05u4KrLWrvHY6rT-g47xszZmSuF1IUZBMQkKGGzcXcNKB5cWk6DrnMlijEqlwXCx5-D8K486Db6hwf_mRTpR2Za5ho2MyGQWut_40vQxgnh3eKN28a5Yw6_LwysvSIaaTz9s6lyhzK9J3b3VmhUlVkaopJo57XBcccXFS8; expires=Fri, 30-Jul-2021 04:48:50 GMT; path=/; domain=.google.com; HttpOnly

alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

mln2@Michaels-MacBook-Air ~ % curl -I -H "Cookie: 1P_JAR=2021-01-28-04" -H "Cookie: NID=208=FZPAg05u4KrLWrvHY6rT-g47xszZmSuF1IUZBMQkKGGzcXcNKB5cWk6DrnMlijEqlwXCx5-D8K486Db6hwf_mRTpR2Za5ho2MyGQWut_40vQxgnh3eKN28a5Yw6_LwysvSIaaTz9s6lyhzK9J3b3VmhUlVkaopJo57XBcccXFS8" https://www.google.com/

HTTP/2 200

content-type: text/html; charset=ISO-8859-1

date: Thu, 28 Jan 2021 04:49:29 GMT

server: gws

x-xss-protection: 0

x-frame-options: SAMEORIGIN

expires: Thu, 28 Jan 2021 04:49:29 GMT

cache-control: private

set-cookie: 1P_JAR=2021-01-28-04; expires=Sat, 27-Feb-2021 04:49:29 GMT; path=/; domain=.google.com; Secure

alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

​

​

see also: “--cookie” and “--cookie-jar”

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Finding your cookies

59

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Cookies can implement sessions

60

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Cookies allow state to be passed between the user-agent and server

• Cookies are used by the server to implement sessions
• Goal: Server keeps a set of data related to a user's current "browsing session"
• Examples
• Logins
• Shopping carts
• User tracking

61

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Session skeleton

62

First HTTP request:

​

POST /login HTTP/1.1

Host: example.com

​

username=alice&password=password

​

HTTP response:

​

HTTP/1.1 200 OK

Set-Cookie: username=alice

Date: Tue, 24 Sep 2019 20:30:00 GMT

​

<!DOCTYPE html …

​

All future HTTP requests:

​

GET /page.html HTTP/1.1

Host: example.com

Cookie: username=alice;

note: in this example and in class demos, the cookies are readable. in real life, they’re opaque and only make sense to the server.

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Ambient Authority

• Access control - Regulate who can view resources or take actions
• Ambient authority - Access control based on a global and persistent property of the requester
• The alternative is explicit authorization valid only for a specific action
• There are four types of ambient authority on the web
• Cookies - most common, most versatile method
• IP checking - library checks if you’re on odu.edu network
• Built-in HTTP authentication - rarely used
• Client certificates - rarely used

63

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Quick primer: signature schemes

• Triple of algorithms (G, S, V)
• G() → (pk, sk) - generator returns public key and secret key
• S(sk, x) → t - signing returns a tag t for input x
• V(pk, x, t) → accept|reject - checks validity of tag t for given input x
• Correctness property
• V(pk, x, S(sk, x)) = accept should always be true
• Security property
• V(pk, x, t) = accept should almost never be true when x and t are chosen by the attacker

64

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

65

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

66

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

67

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

68

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

69

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

70

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

71

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

72

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

73

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

74

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

75

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Login and session

76

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

If I know the cookie, I can be Alice

77

the cookie is the state -- if I steal this cookie, I can steal your session

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

History of Cookies

• Implemented in 1994 in Netscape and described in 4-page draft
• No spec for 17 years
• Attempt made in 1997, but made incompatible changes (RFC 2109)
• Another attempt in 2000 ("Cookie2", RFC 2965), same problem
• Around 2011, another effort succeeded (RFC 6265)
• Ad-hoc design has led to interesting issues

78

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Cookie attributes

• Expires - Specifies expiration date. If no date, then lasts for session
• Path - Scope the "Cookie" header to a particular request path prefix
• e.g. Path=/docs will match /docs and /docs/Web/
• Optimization only; do not use for security!
• Domain - Allows the cookie to be scoped to a domain broader than the domain that returned the Set-Cookie header
• e.g. login.stanford.edu could set a cookie for stanford.edu

79

canis:/home/mln % curl -I --silent https://www.google.com/ | grep -i "Cookie:"

set-cookie: 1P_JAR=2021-01-28-17; expires=Sat, 27-Feb-2021 17:08:10 GMT; path=/; domain=.google.com; Secure

set-cookie: NID=208=QRqrD9wX6KJLXX5RH-pr8Q0UhqskKCjSAmnutkMRHT-QeI8E6pq3M5MVjIttWZBB4hXvoDUEubm0sv-n2ukDb43qt1Q8sk5qijlm9597Z0A5Xij8BooOLE7Dewr5Z21s97V5gR1ovSWCKbHJm7npE_X1sKkkVHTCEuOwEMLoKlM; expires=Fri, 30-Jul-2021 17:08:10 GMT; path=/; domain=.google.com; HttpOnly

​

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

How long do cookies last?

• Sites can set Expires to a very far-future date and the cookie will last until the user clears it.
• 2007: "The Google Blog announced that Google will be shortening the expiration date of its cookies from the year 2038 to a two-year life cycle." – Search Engine Land
• When Expires not specified, lasts for current browser session
• Caveat: Browsers do session restoring, so can last way longer

80

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Server can reset (delete) the cookie

• Set cookie with same name and an expiration date in the past
• cf. Unix epoch
• Cookie value can be omitted; from previous google.com example:

​

81

set-cookie: NID=; expires=Thu, 01 Jan 1970 00:00:00 GMT;

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Use dev tools to access, set, delete cookies in your browser

82

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Session hijacking

• Sending cookies over unencrypted HTTP is a very bad idea
• If anyone sees the cookie, they can use it to hijack the user's session
• Attacker sends victim's cookie as if it was their own
• Server will be fooled -- it only “knows” about you via the cookie

83

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

A nice session

84

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

A nice session

85

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

A nice session

86

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Steal your cookie

87

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Steal your cookie

88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Steal your cookie

89

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Steal your cookie

90

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Session hijacking mitigation

• Use Secure cookie attribute to prevent cookie from being sent over unencrypted HTTP connections
• Set-Cookie: key=value; Secure
• Even better: Use HTTPS for entire website

91

canis:/home/mln % curl -I --silent \

http://www.google.com/ | grep -i "Secure"

set-cookie: 1P_JAR=2021-01-28-17; expires=Sat, 27-Feb-2021 17:52:32 GMT; path=/; domain=.google.com; Secure

​

canis:/home/mln % curl -I http://vt.edu

HTTP/1.1 301 Moved Permanently

Date: Thu, 28 Jan 2021 17:36:58 GMT

Server: Apache

Location: https://vt.edu/

Cache-Control: max-age=600

Expires: Thu, 28 Jan 2021 17:46:58 GMT

Content-Type: text/html; charset=iso-8859-1

​

canis:/home/mln % curl -I www.odu.edu

HTTP/1.0 301 Moved Permanently

Location: https://www.odu.edu/

Server: BigIP

Connection: Keep-Alive

Content-Length: 0

​

​

​

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Setting up the world’s worst bank with node.js

92

https://nodejs.org/en/

https://expressjs.com/en/starter/installing.html

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

use npm,

included in the node.js distribution, to install packages you don’t have

93

$ node bank-02.js

internal/modules/cjs/loader.js:883

throw err;

^

​

Error: Cannot find module 'cookie-parser'

Require stack:

- /Users/mln/Desktop/cs595-s21/cs595-s21/slides/code/bank-02.js

at Function.Module._resolveFilename

[lots of error messages deleted]

code: 'MODULE_NOT_FOUND',

requireStack: [ '/Users/mln/Desktop/cs595-s21/cs595-s21/slides/code/bank-02.js' ]

}

$ npm install cookie-parser

npm WARN code@1.0.0 No description

npm WARN code@1.0.0 No repository field.

​

+ cookie-parser@1.4.5

added 1 package from 2 contributors and audited 51 packages in 2.992s

found 0 vulnerabilities

$ node bank-02.js

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​

Who are Alice and Bob?!

94

https://en.wikipedia.org/wiki/Alice_and_Bob

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

​