Web应用中Cookie相关安全问题研究——学习笔记

[Toc]

Cookie基础

• 用于保持HTTP会话状态/缓存信息
• 由服务器/浏览器（脚本）写入
• Server:
• Set-Cookie: user=bob; domain=.bank.com; path=/;
• JS:
  document.cookie=“user=bob; domain=.bank.com; path=/;”;
• 存储于浏览器/传输于HTTP头部
  • HTTP头中
    • Cookie: user=bob; cart=books;
  • JS读取:
    • console.log(document.cookie);写时带属性，读时无属性
• 属性
  • name/domain/path/httponly/secure/expire …
• 三元组
  • [name, domain, path]：确定唯一Cookie name, domain, path任一不同，则Cookie不同
    • Server————————————————————Browser

      • Set-Cookie: session=bob; domain=.bank.com; path=/; session=bob;

      • Set-Cookie: session=alice; domain=.bank.com; path=/ ;session=alice;

      • Set-Cookie: session=jack; domain=.bank.com; path=/pay;session=alice; session=jack;

Cookie泄露

图片.png

Cookie泄露:HTTPS保护

图片.png

Cookie基础：同源策略（SOP）

• Web SOP: [protocol, domain, port]

  • http://www.bank.com
  • http://www.bank.com:8080
  • https://www.bank.com

• 非同源（受SOP隔离保护）

• Cookie SOP: [domain, path]

  • 仅以domain/path作为同源限制
  • 不区分端口
  • 不区分HTTP / HTTPS
    • Cookie: session=secret; domain=.bank.com; path=/;
    • http://bank.com
    • https://bank.com

Cookie SOP：Domain向上通配

• 在对Cookie读写时，以“通配”的方式判断Domain是否有效
  • 写入：
• 当页面为 http://www.bank.com 时：
  • Set-Cookie: user1=aaa; domain=.bank.com; path=/;接受
  • Set-Cookie: user2=bbb; domain=www.bank.com; path=/;接受
  • Set-Cookie: user3=ccc; domain=.www.bank.com; path=/;接受
  • Set-Cookie: user4=ddd; domain=other.bank.com; path=/;拒绝
  • 读取：
  • 访问 http://www.bank.com
    • Cookie: user1=aaa; user2=bbb; user3=ccc;
  • 访问 http://user.bank.com
    • Cookie: user1=aaa;

Cookie SOP：Path向下（后）通配

• Set-Cookie: session=bob; domain=.bank.com; path=/;
• Set-Cookie: cart=books; domain=.bank.com; path=/buy/;
  • http://bank.com/
  • Cookie: session=bob;
  • http://bank.com/buy/
  • Cookie: session=bob; cart=books;

Cookie泄露：HTTPS Session

图片.png

HTTPS Cookie：Secure Flag防护

• RFC: 带有Secure属性的Cookie仅能在HTTPS会话中传输

图片.png

Secure Flag：缺乏完整性保护

• RFC 6265:
  Although seemingly useful for protecting cookies from active network attackers,
  the Secure attribute protects only the cookie’s confidentiality.
  An active network attacker can overwrite Secure cookies from an insecure channel,
  disrupting their integrity

图片.png

Secure Cookie：注入/覆盖

注入.png

Cookie注入：Authenticated-as-Attacker

• CSRF Login

图片.png

• BARTH, A., JACKSON, C., Robust De-fenses for Cross-Site Request Forge

Auth-as-Attacker ：易察觉

图片.png

• BARTH, A., JACKSON, C., Robust De-fenses for Cross-Site Request Forgery

Cookie注入：XSS/SQLi

• Set-Cookie: inject=abc”+alert(‘xss’)+”;domain=.amazon.cn; path=/;

图片.png

Cookie注入：XSS/SQLi

• Cookie反射
  • Html/JS/JSON/XML
• 参与JavaScript运算
• 渲染到DOM
• 参与Server端运算

图片.png