WebApp Sec mailing list archives
RE: Cookie stealing and replay in a corporate single sign on environment
From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Wed, 15 Jun 2005 09:06:38 +0200
Hi Willard We have some experiences in dealing with this kind of problem. Cookie stealing is actually easier than most people think. Especially with 80% of today's Web applications being vulnerable to XSS/CSRF attacks. I agree mostly with your points, especially that one-time cookies don't work well in reality. We have some customers using transactional cookies (one-time cookies) but that is only possible if you don't expect a user to open multiple browser windows or work in multiple applications in the same SSO environment.
I often hear "we use SSL" when bringing up the issue. SSL doesn't matter.
Indeed, SSL itself does not solve the problem. BUT: It does matter :) The SSL session ID can be used to track the session (either alone or combined with a session cookie). Probably not all SSO solutions today support SSL session ID based session tracking. Does yours? In our security gateway solution (which is not a full SSO product) we provide the option to use the SSL session ID as session tracking mechanism. Either stand-alone or combined with a session cookie. The way you describe your SSO environment I think that the SSL session ID would solve your problems. The SSL session ID itself is not secret and it is not enough to steal it. It is much more secure than just using a session cookie. An attacker would have to copy the whole SSL stack of the user's context to take over an SSL session. That is pretty much equivalent to compromising the client computer/browser. However, there are some restrictions using the SSL session ID when dealing with old browser versions that do not keep the SSL session long enough. In case you're interested in more details, the session tracking as well as the whole attack mitigation techniques (to prevent cookie stealing in the first place) are also described in our new whitepaper: http://www.seclutions.com/en/downloads/AirLock_Whitepaper.pdf The link should not be understood as indecent product placement here, but it does not make sense that I repeat WP content in this email... ;-) The WP describes quite some techniques independent of the product and it might be helfpul input to you (I hope). Best regards, Cyrill Osterwalder Chief Technology Officer Seclutions AG http://www.seclutions.com
-----Original Message----- From: Willard Fernortner [mailto:fernortner () hotmail com] Sent: Mittwoch, 15. Juni 2005 07:52 To: webappsec () securityfocus com Subject: Cookie stealing and replay in a corporate single sign on environment I'm wondering if anyone else has given thought to cookie replay attacks when using a web single sign-on solution on a corporate network. Here are my concerns: -- Web single sign-on typically works using a shared cookie that is passed to all intranet web sites in the corporate domain (e.g. *.myintranet.com). Because these cookies are passed to ALL internal web sites, there are plenty of opportunities for these cookies to be stolen: a) They can be harvested by employees, contractors, or anyone else that is allowed to publish a web page to ANY corporate web site (through server log files or through JavaScript on published web pages) b) They can be stolen using a cross site scripting flaw on ANY web site in the corporate domain -- Once an SSO cookie is stolen, the attacker can use that cookie to impersonate the victim to HR, financial, or other sensitive web applications that the victim has access to. The implications could be huge. -- Most people I've talked to appear to be clueless that a problem exists. I often hear "we use SSL" when bringing up the issue. SSL doesn't matter. Cross site scripting can be used to steal cookies regardless of SSL use. Similarly, I often hear "the SSO cookie is encrypted". That doesn't matter either. I just need to replay the encrypted cookie "blob" in an attack. Aside from "don't use single sign on" and "use certificates" (neither are options for us for several reasons), what can be done to mitigate the risks? I've considered the following: -- Track the IP address of the legitimate user when they authenticate, then validate that the user is coming from the same IP address for each subsequent request to the SSO environment. Most SSO vendors support this out of the box. However, IP addresses can be spoofed (it's not hard to spoof your bosses IP address when you are on the same subnet), and IP validation doesn't work in NAT environments. Still, I think this is probably the most feasible option. -- Use timeout values to force periodic re-authentication. However, reauthenticating too often defeats the purpose of SSO. -- Use some sort of nonce so that cookies can only be used one time. This probably wouldn't work well in an SSO environment when a user might want to have multiple web applications open at once though. -- Put sensitive applications into a separate sub-domain (e.g. *.secure.myintranet.com), then use a separate SSO cookie for that specific domain. Any other thoughts? Has anyone else here implemented SSO on a corporate network, and if so, are you doing anything to prevent cookie stealing and replay? If you aren't doing anything, is it due to ignorance, or have you specifically decided not to address the problem? Why? Thanks WF
Current thread:
- Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 14)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willard Fernortner (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Willie Northway (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Saqib Ali (Jun 15)
- <Possible follow-ups>
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Ivan Ristic (Jun 15)
- RE: Cookie stealing and replay in a corporate single sign on environment Cyrill Osterwalder (Jun 15)
- Re: Cookie stealing and replay in a corporate single sign on environment Irene Abezgauz (Jun 15)