[unisog] Using cookies for authentication

hermit921 hermit921 at yahoo.com
Fri Mar 7 16:53:16 GMT 2003


I would expect that your system check the issue time of the cookie (part of 
the hash, right?) and refuse to honor it if the time is too old.

hermit921


At 01:26 PM 3/7/2003 +1300, Russell Fulton wrote:
>Hi All,
>         We are currently looking at a new web based application that uses
>cookies for authentication.  The cookies contains amongst other things,
>userid, issue time, the issuing system ID and a SHA1 hash of the
>contents (and a secret) to prevent one changing the cookie.  All
>exchanges of the cookies over the network are via SSL and the cookie
>also had flags that tell the browser not to write it to disk.
>
>So far as I can tell if an attacker can steal a cookie then they can use
>it to impersonate the cookie's owner for the lifetime of the cookie.
>
>We are try to do a risk analysis of this system and so I am trying to
>figure out how easy (or otherwise) it is to steal memory based cookies
>from systems running common browsers (mostly IE, some old :( ).
>
>Two schemes that occur to me are 1/ to tamper with the browser (so it
>writes the cookie to disk or better still sends it directly to the
>attacker) or 2/ to introduce malware on the the user's computer that
>will search for the cookie in memory and send it to the attacker.  If an
>attacker has the ability to do either of these things then they could
>probably also install keyboard loggers and grab the users credentials
>directly -- something that affects almost all authentication systems so
>I am ignoring this for this particular exercise.
>
>What I am really focusing on is the risk of browser bugs and XSS bugs
>that might allow the cookie to be stolen.  We must assume that the
>attacker may have a web server under their control in the same domain as
>the cookie and that they may be able to induce users to visit the site.
>
>Any thoughts or references gratefully received.
>
>--
>Russell Fulton, Computer and Network Security Officer
>The University of Auckland,  New Zealand
>
>"It aint necessarily so"  - Gershwin



More information about the unisog mailing list