Web应用中Cookie相关安全问题研究——学习笔记

96
流弊的小白
2017.03.13 15:05* 字数 662

[Toc]

Cookie基础

  • 用于保持HTTP会话状态/缓存信息
  • 由服务器/浏览器(脚本)写入
  • Server:
  • Set-Cookie: user=bob; domain=.bank.com; path=/;
  • JS:
    document.cookie=“user=bob; domain=.bank.com; path=/;”;
  • 存储于浏览器/传输于HTTP头部
    • HTTP头中
      • Cookie: user=bob; cart=books;
    • JS读取:
      • console.log(document.cookie);写时带属性,读时无属性
  • 属性
    • name/domain/path/httponly/secure/expire …
  • 三元组
    • [name, domain, path]:确定唯一Cookie name, domain, path任一不同,则Cookie不同
      • Server————————————————————Browser
        • Set-Cookie: session=bob; domain=.bank.com; path=/; session=bob;

        • Set-Cookie: session=alice; domain=.bank.com; path=/ ;session=alice;

        • Set-Cookie: session=jack; domain=.bank.com; path=/pay;session=alice; session=jack;

Cookie泄露

图片.png

Cookie泄露:HTTPS保护

图片.png

Cookie基础:同源策略(SOP)

Cookie SOP:Domain向上通配

  • 在对Cookie读写时,以“通配”的方式判断Domain是否有效
    • 写入:
  • 当页面为 http://www.bank.com 时:
    • Set-Cookie: user1=aaa; domain=.bank.com; path=/;接受
    • Set-Cookie: user2=bbb; domain=www.bank.com; path=/;接受
    • Set-Cookie: user3=ccc; domain=.www.bank.com; path=/;接受
    • Set-Cookie: user4=ddd; domain=other.bank.com; path=/;拒绝
    • 读取:
    • 访问 http://www.bank.com
      • Cookie: user1=aaa; user2=bbb; user3=ccc;
    • 访问 http://user.bank.com
      • Cookie: user1=aaa;

Cookie SOP:Path向下(后)通配

  • Set-Cookie: session=bob; domain=.bank.com; path=/;
  • Set-Cookie: cart=books; domain=.bank.com; path=/buy/;

Cookie泄露:HTTPS Session

图片.png

HTTPS Cookie:Secure Flag防护

  • RFC: 带有Secure属性的Cookie仅能在HTTPS会话中传输
图片.png

Secure Flag:缺乏完整性保护

  • RFC 6265:
    Although seemingly useful for protecting cookies from active network attackers,
    the Secure attribute protects only the cookie’s confidentiality.
    An active network attacker can overwrite Secure cookies from an insecure channel,
    disrupting their integrity
图片.png

Secure Cookie:注入/覆盖

注入.png

Cookie注入:Authenticated-as-Attacker

  • CSRF Login
图片.png
  • BARTH, A., JACKSON, C., Robust De-fenses for Cross-Site Request Forge

Auth-as-Attacker :易察觉

图片.png
  • BARTH, A., JACKSON, C., Robust De-fenses for Cross-Site Request Forgery

Cookie注入:XSS/SQLi

  • Set-Cookie: inject=abc”+alert(‘xss’)+”;domain=.amazon.cn; path=/;
图片.png

Cookie注入:XSS/SQLi

  • Cookie反射
    • Html/JS/JSON/XML
  • 参与JavaScript运算
  • 渲染到DOM
  • 参与Server端运算
图片.png
Web安全
Web note ad 1