RE: Cookie stealing and replay in a corporate single sign on environment

["Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>]

Hi Willard 

We have some experiences in dealing with this kind of problem. Cookie
stealing is actually easier than most people think. Especially with 80% of
today's Web applications being vulnerable to XSS/CSRF attacks.

I agree mostly with your points, especially that one-time cookies don't work
well in reality. We have some customers using transactional cookies (one-time
cookies) but that is only possible if you don't expect a user to open
multiple browser windows or work in multiple applications in the same SSO
environment.

> I often hear "we use SSL" when bringing up the issue.  SSL 
> doesn't matter.

Indeed, SSL itself does not solve the problem. BUT: It does matter :) The SSL
session ID can be used to track the session (either alone or combined with a
session cookie). Probably not all SSO solutions today support SSL session ID
based session tracking. Does yours?

In our security gateway solution (which is not a full SSO product) we provide
the option to use the SSL session ID as session tracking mechanism. Either
stand-alone or combined with a session cookie.

The way you describe your SSO environment I think that the SSL session ID
would solve your problems. The SSL session ID itself is not secret and it is
not enough to steal it. It is much more secure than just using a session
cookie. An attacker would have to copy the whole SSL stack of the user's
context to take over an SSL session. That is pretty much equivalent to
compromising the client computer/browser.

However, there are some restrictions using the SSL session ID when dealing
with old browser versions that do not keep the SSL session long enough. In
case you're interested in more details, the session tracking as well as the
whole attack mitigation techniques (to prevent cookie stealing in the first
place) are also described in our new whitepaper:
http://www.seclutions.com/en/downloads/AirLock_Whitepaper.pdf

The link should not be understood as indecent product placement here, but it
does not make sense that I repeat WP content in this email... ;-) The WP
describes quite some techniques independent of the product and it might be
helfpul input to you (I hope).

Best regards,

Cyrill Osterwalder

Chief Technology Officer
Seclutions AG

http://www.seclutions.com


 


> -----Original Message-----
> From: Willard Fernortner [mailto:fernortner () hotmail com] 
> Sent: Mittwoch, 15. Juni 2005 07:52
> To: webappsec () securityfocus com
> Subject: Cookie stealing and replay in a corporate single 
> sign on environment
>
> I'm wondering if anyone else has given thought to cookie 
> replay attacks when 
> using a web single sign-on solution on a corporate network.  
> Here are my 
> concerns:
>
> -- Web single sign-on typically works using a shared cookie 
> that is passed 
> to all intranet web sites in the corporate domain (e.g. 
> *.myintranet.com).  
> Because these cookies are passed to ALL internal web sites, 
> there are plenty 
> of opportunities for these cookies to be stolen:
>
>    a) They can be harvested by employees, contractors, or 
> anyone else that 
> is allowed to publish a web page to ANY corporate web site 
> (through server 
> log files or through JavaScript on published web pages)
>    b) They can be stolen using a cross site scripting flaw on 
> ANY web site 
> in the corporate domain
>
> -- Once an SSO cookie is stolen, the attacker can use that cookie to 
> impersonate the victim to HR, financial, or other sensitive 
> web applications 
> that the victim has access to.  The implications could be huge.
>
> -- Most people I've talked to appear to be clueless that a 
> problem exists.  
> I often hear "we use SSL" when bringing up the issue.  SSL 
> doesn't matter.  
> Cross site scripting can be used to steal cookies regardless 
> of SSL use.  
> Similarly, I often hear "the SSO cookie is encrypted".  That 
> doesn't matter
> either.  I just need to replay the encrypted cookie "blob" in 
> an attack.
>
> Aside from "don't use single sign on" and "use certificates" 
> (neither are 
> options for us for several reasons), what can be done to 
> mitigate the risks? 
>   I've considered the following:
>
> -- Track the IP address of the legitimate user when they 
> authenticate, then 
> validate that the user is coming from the same IP address for each 
> subsequent request to the SSO environment.  Most SSO vendors 
> support this 
> out of the box.  However, IP addresses can be spoofed (it's 
> not hard to 
> spoof your bosses IP address when you are on the same subnet), and IP 
> validation doesn't work in NAT environments.  Still, I think this is 
> probably the most feasible option.
>
> -- Use timeout values to force periodic re-authentication.  However, 
> reauthenticating too often defeats the purpose of SSO.
>
> -- Use some sort of nonce so that cookies can only be used 
> one time.  This 
> probably wouldn't work well in an SSO environment when a user 
> might want to 
> have multiple web applications open at once though.
>
> -- Put sensitive applications into a separate sub-domain (e.g. 
> *.secure.myintranet.com), then use a separate SSO cookie for 
> that specific 
> domain.
>
> Any other thoughts?  Has anyone else here implemented SSO on 
> a corporate 
> network, and if so, are you doing anything to prevent cookie 
> stealing and 
> replay?  If you aren't doing anything, is it due to 
> ignorance, or have you 
> specifically decided not to address the problem?  Why?
>
> Thanks
> WF