Cookie mechanism andattacks on web-clientFast TrackPHDays, Russia, Moscow, 31/05/2012
Author bio@d0znpp, firstname.lastname@example.org•Have engaged in research in the field of webapplication security (since 2004);•Founder and security expert of ONseccompany (since 2009);•Now days: development of self-learningsystems for the detection of attacks on webapplications and heuristic analysis.
Cookie mechanism. Rewriting• Global store for all cookies (http-only, secure) on domain and its subdomains• Fixed size of cookie store• Possible to rewrite httpOnly/secure cookie• Possible to rewrite high-level domain cookie from low-level (Chrome)
Cookie mechanism. Reading• All subdomains get high-level domain cookie (since new RFC 2011, April)• waf.phdays.com can jack your phdays.com accounts ;)• XSS on subdomains common
MS network under attack• Trusted domain• Same Origin Policy on trusted domain• Local network area• Security policy• Bypass “no-proxy for local addresses”• Profit
MS network under attack• Iframe bypass local IP addresses• DNS named can resolve in local network• local.evil.com could resolve 192.168.0.1• ISA server make non-HTTP packets to valid-HTTP• Numbers of non-HTTP protocols + ISA = XSS