Cookie Stealing and XSS Presentation (Click to

advertisement
Lab 3
Cookie Stealing using XSS
Kara James, Chelsea Collins, Trevor Norwood, David Johnson
Lab 3
Goals
• Learn what cookies are
• Learn about Cross-Site Scripting Attacks
• Learn what it means to steal cookie
information
• Get hands on experience with a web
browser vulnerability
What are cookies?
• Nope, not the kind you eat! ;)
• The Kind that track you like a creepy stalker!
• Cookies are data stored in a web browser
• There many different “types” of cookies:
• Session, Persistent/Tracking
• Persistent cookies are cookies that will outlast user
sessions and are used for a variety of reasons
• Zombie Cookies that recreate themselves
• Cookies identify who you are to a website
• The website stores this information (like your
username and password) to help provide you with
the pages you view
• They can be used to keep track and keep records of
users browsing histories and activity
…. Are they Good or Bad?
• Cookies can be tracked by third-parties and are used by
advertising companies to track users across multiple sites and
pages.
• For example, in 2002 the CIA was leaving persistent cookies on
computers who were visiting their sites.
• In 2005, The NSA has also left persistent cookies from a software
upgrade.
• RFC 2965 specifies that browsers should protect user privacy
and not allow third-party cookies by DEFAULT.
• BUT most browsers ALLOW these third-party cookies by
default. It is allowed because browsers and the third-party
website has it stated in their Policies and agreements
• For instance, Do you think Facebook should have the right
to track your Google searches? Or any online activity?
Cross-site Scripting Attacks/XSS
• These vulnerabilities would occur in the serverside code
• They are vulnerabilities in Web Applications
• XSS injects client-side script into web pages
• There are different kinds of XSS attacks, but Lab
3 deals with cookie stealing through XSS
• The injected code Steals a cookie that should be
only exchanged between the server/client and is
sent to another party
We will be using these
Webhacking.zip Files
• malURL.htm
• Redirectpage.htm
• Setgetcookie.htm
• Stealcookie.php
• Log.txt
Lab 3 Process
1. User first opens setgetcookie.htm on vulnerable site
2. Sets cookie
3. Attacker sends malURL.htm to user with malicious URLs in it
4. Clicking on them redirects user to redirectpage.htm
5. redirectpage.htm has script embedded in a html tag
6. Script inputs the document’s cookie to stealcookie.php on
attacker’s site
7. Stealcookie.php logs the cookie on attacker’s site
setgetcookie.htm
malURL.htm
malURL.htm
Hovering over
each link with
your cursor
shows two
different
destinations.
One is more
deceiving and
more likely to be
opened/clicked
on
Second Link: redirectpage.htm
redirects to stealcookie.php
<body>
<?php
$f = fopen("log.txt","a");
$cookie =
"\n".$_GET['username']."\n";
fwrite($f, $cookie);
fclose($f);
?>
</body>
Log.txt
• Stealcookie.php
file stores the
cookie into the
log.txt file
BAM!!!
You’re HACKED!
Today: Changes and Threats
• Lab 3 is only an example of the general process of XSS cookie
stealing and would not work in real world because of an
increase in the web browsing security.
• Modern browsers are more sophisticated now and don’t
relocate to new sites without permission and they filter out
scripts from links
• But hackers come up new ways around these features EVERYDAY
• Which is why it is so important to update all of your software regularly.
• Examples of cookie stealing:
• Malicious links through instant messengers,
emails, spam, Facebook, disguised websites,
disguised links
• Web browsing and clicking on malicious links
• Injected sophisticated scripting code to trick users
Real World
Cookie Stealing Example
• Facebook cookie stealing Example:
• You can capture packets using a free network
packet analyzer
• This is where you can Find a “cookie” over an internet connection
• You’ll need other applications as well like Firefox,
greasemonkey, and cookieinjector script
• This example gives you access to their account
but doesn’t give you their credentials
• Only works if Facebook connection is HTTP
• Prevented by using HTTPS which you can enable
in your Browser under Account Settings>Security
Preventing cookie stealing
• Using HTTPS encrypts and protects
• Web Vulnerability Scanners
Choosing to “Remember Me” uses
• Google uses similar cookies for its services
• Detecting suspicious activity on server side
• Requiring Re-authentication
• Cookies are browser specific
• Browser Fingerprint
• Change Browser Settings to tell websites not to
track you
Any Questions?
Download