Most of you probably manage various web applications that use cookies and possibly SSL to provide security for connectivity. If so, you need to know how your applications handle any cookies that are set during an SSL connection. If you haven't secured the cookies, your entire application could be vulnerable to session hijacking attacks.
When a web application sets a cookie, at least a few parameters are required, including a path relative to the website, the site domain name, and an expiration date. Other parameters can be provided, including a 'secure' flag that defines whether the cookie should be sent only over SSL connections. If that flag isn't set, then a browser could be tricked into sending the cookie over a regular clear-text HTTP connection, at which point anyone sniffing network traffic might be able to harvest the cookie and use it however they see fit. That's exactly the type of attack outlined by Sandro Gauci of EnableSecurity in his Surf Jacking paper, available at the URL below. http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
In a nutshell, an attacker scenario works like this: A user opens website "ABC" in a browser window and logs in over an SSL session. Website ABC sets a session cookie without the secure flag set. The user then opens a new browser window and goes to website "XYZ." Website XYZ sends a redirect message telling the browser to go back to Website ABC, but instead of instructing the browser to connect using HTTPS the redirect instructs the browser to use regular HTTP. When the browser connects to site ABC using HTTP, it sends its session cookie. An attacker sniffing traffic grabs the cookie, adds it to his or her owner browser, and is then able to connect to site ABC posing as the legitimate user. That's obviously not good.
One might think that surely major web service providers have taken steps to prevent such an attack, but as it turns out that's not the case across the board. According to Gauci, several sites were vulnerable to the attack at the time he published his paper. Those sites included Google Gmail, Salesforce.com, Skype, GoDaddy, a couple of unnamed banks, and one online bookstore. Wow.
Gauci developed some example code, written in the Python scripting language, that you can download and try out for yourself. The script works over wired and wireless networks. You can get a copy of the script at the URL below. http://code.google.com/p/surfjack
So how do you determine whether the code in your web applications sets the secure flag for cookies? One way is to somehow examine the source code, depending on what tools you have available. What you need to look for depends on the programming language. If your code is written in PHP, look for instances of the session_set_cookie_params() function, which might look something like the following example:
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
