電腦攻擊與防禦 The Attack and Defense of Computers Dr.許 富 皓
Magic Cookie • A magic cookie or cookie is a token or short packet of data passed between communicating programs, where the data is typically not meaningful to the recipient program. The contents are opaque and not usually interpreted until the recipient passes the cookie data back to the sender or perhaps another program at a later time. The cookie is often used like a ticket—to identify a particular event or transaction. • In some cases, recipient programs are able to meaningfully compare two cookies for equality.
Analogy of Magic Cookies • A magic cookie is analogous to, for example, the token supplied at a coat check (British English: cloakroom) counter in real life. • The token has no intrinsic meaning, but its uniqueness allows it to be exchanged for the correct coat when returned to the coat check counter. • The coat check token is opaque because the way in which the counter staff are able to find the correct coat when the token is presented is immaterial to the person who wishes their coat returned. from the point of view of a guest.
Cookie Applications in the Computer World • Cookies are used as identifying tokens in many computer applications. When one visits a website, the remote server may leave a HTTP cookie on one's computer, where they are often used to authenticate identity upon returning to the website. • Some cookies (such as HTTP cookies) have a digital signature appended to them or are otherwise encrypted, so that hostile users or applications are unable to forge a cookie and present it to the sending application, in order to gain access that the hostile user is otherwise not entitled to. Depending on the nature of the encryption algorithm used, users may be able to verify that a cookie is authentic.
Web Bugs • A Web bug is an object that is embedded in a web page or e-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail. Alternative names are Web beacon, tracking bug, pixel tag, and clear gif.
Implementation • Typically, a Web bug is a small (usually 1×1 pixel) transparent GIF image (or an image of the same color of the background) that is embedded in an HTML page, usually a page on the Web or the content of an e-mail. • Whenever the user opens the page with a graphical browser or e-mail reader, the image is downloaded. • This download requires the browser to request the image from the server storing it, allowing the server to take notice of the download. • As a result, the organization running the server is informed of when the HTML page has been viewed
HTTP Cookies • An HTTP cookie, or a Web cookie, is a parcel of text sent by a server to a web browser and then sent back unchanged by the browser each time it accesses that server. • HTTP cookies are used for • authenticating, • tracking, • and maintaining specific information about users, such as site preferences and the contents of their electronic shopping carts. • The term "cookie" is derived from "magic cookie", a well-known concept in computing which inspired both the idea and the name of HTTP cookies. • Most modern browsers allow users to decide whether to accept cookies, but rejection makes some websites unusable. • For example, shopping baskets implemented using cookies do not work if cookies are rejected.
Purpose -- Maintaining Specific Information about Users • Cookies are used by Web servers to differentiate users and to operate in a way that depends on the user. • Cookies were invented for realizing a virtual shopping basket: this is a virtual device in which the user can "place" items to purchase, so that users can navigate a site where items are shown, adding or removing items from the shopping basket at any time. • Cookies allow for the content of the shopping cart to depend on the user's actions.
Cookie Stealing • In a typical web application logon scenario, two authentication tokens are exchanged — a username and password — for values stored in a cookie, thereafter used as the only authentication token. • It is commonly understood that a user’s web session is vulnerable to hijacking if an attacker captures that user’s cookies.
Purpose -- Tracking • Technically, cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. • The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. • Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. • By returning a cookie to a web server, the browser provides the server a means of connecting the current page view with prior page views.
Cookie Expiration Date • The cookie setter can specify a deletion date, in which case the cookie will be removed on that date. • A shopping site might want to help potential customers by remembering the items in their shopping basket, even if they quit their browser without making a purchase and return later, so that they don't have to find the products over again. In this case, they will create a cookie deletion date some distance away before the shopping cart contents are deleted. • If the cookie setter does not specify a date, the cookie is removed once the user quits his browser. • As a result, specifying a date is a way for making a cookie survive across sessions. • For this reason, cookies with an expiration date are called persistent.
Misconceptions about Cookies • Since their introduction on the Internet, misconceptions about cookies have circulated on the Internet and in the media. In 2005, Jupiter Research published the results of a survey, according to which a consistent percentage of respondents believed some of the following claims: • Cookies are like worms and viruses in that they can erase data from the user's hard disks; • Cookies are a form of spyware in that they can read personal information stored on the user's computer; • Cookies generate popups; • Cookies are used for spamming; • Cookies are only used for advertising. • Cookies are in fact only data, not code: they cannot erase or read information from the user's computer.
Browser Settings about Cookies • Most modern browsers support cookies. • A user can usually also choose whether cookies should be used or not. The following are common options: • cookies are never accepted, • the browser asks the user whether to accept every individual cookie, • or cookies are always accepted.
Advanced Browser Settings about Cookies • The browser may also include the possibility of better specifying which cookies have to be accepted or not. • In particular, the user can typically choose one or more of the following options: • reject cookies from specific domains; • disallow third-party cookies; • accept cookies as non-persistent (expiring when the browser is closed). • Additionally, browsers may also allow their users to view and delete individual cookies.
Third-party Cookies • While cookies are only sent to the server setting them or one in the same Internet domain, a Web page may contain images or other components stored on servers in other domains. Cookies that are set during retrieval of these components are called third-party cookies.
Using Third-party Cookies to Track a User’s Activity • Advertising companies use third-party cookies to track a user across multiple sites. • In particular, an advertising company can track a user across all pages where it has placed advertising images or Web bugs. • Knowledge of the pages visited by a user allows the advertisement company to target advertisement to the user's presumed preferences.
Privacy Threat • The possibility of building a profile of users has been considered by some a potential privacy threat, even when the tracking is done on a single domain but especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.
Illegal Use Examples of Cookies • The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office used cookies to track computer users viewing its online anti-drug advertising to see if they then visited sites about drug making and drug use. • In 2002, privacy activist Daniel Brandt found that the CIA had been leaving persistent cookies on computers for ten years. When notified it was violating policy, CIA stated that these cookies were not intentionally set and stopped setting them. • On December 25, 2005, Brandt discovered that the National Security Agency had been leaving two persistent cookies on visitors' computers due to a software upgrade. After being informed, the National Security Agency immediately disabled the cookies.
Drawbacks of Cookies • Besides privacy concerns, there are some other reasons why cookies have been opposed: they do not always accurately identify users, and they can be used for security attacks. • Inaccurate identification • Cookie theft • Cookie poisoning • Cross-site cooking
Inaccurate Identification • If more than one browser is used on a computer, each has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a user account, a computer, and a Web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies. • Likewise, cookies do not differentiate between multiple users who share a computer and browser, if they do not use different user accounts.
Cookie Theft – through Sniffers • During normal operation, cookies are sent back and forth between a server (or a group of servers in the same domain) and the computer of the browsing user. • Since cookies may contain sensitive information (user name, a token used for authentication, etc.), their values should not be accessible to other computers. However, cookies sent on ordinary HTTP sessions are visible to all users who can listen in on the network using a packet sniffer. These cookies should therefore not contain sensitive data. • This problem can usually be overcome by using the https URI scheme, which invokes Transport Layer Security to encrypt the connection. Hence, inside the cipher there is no way to tell where is the cookie.
Cookie Theft – through Cross-site Scripting • Cross-site scripting allows the value of cookies to be sent to servers controlled by attackers. • Modern browsers allow execution of pieces of code retrieved from the server. If cookies are accessible during execution, their value may be communicated in some form to servers that should not access them. • The process allowing an unauthorized party to receive a cookie is called cookie theft, and encryption does not help against this attack.
Cookie Theft – on Site Allowing Users to Post HTML Documents • Besides sites that allow users to post HTML content could also be used by attackers to steal cookies. • By embedding a suitable piece of code in an HTML post, an attacker may receive cookies of other users. • Knowledge of these cookies can then be exploited by connecting to the same site using the stolen cookies, thus being recognized as the user whose cookies have been stolen.
Possible Results When Cookies Are Stole [David Endler] • Once the cookie has been obtained, the active attacker can then (if he or she is quick enough) • load the pilfered cookie values, • point the browser to the appropriate web application site (e.g. hotmail.com, mail.yahoo.com, etc.), • and access the victim’s account without bothering to spend time cracking the correct combination of username and password. • This has obvious implications depending on the application: an attacker could • read a victim’s e-mail inbox, • access bank records and write a check to his or herself using online bill pay, • or buy items using cached retail credit information on sites like Amazon and eBay. • For this exploitation to be successful, the attacker must perform these actions before the user’s session has expired or else receive a “session expired” error page.
Cookie Poisoning • While cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server. • If, for example, a cookie contains the total value a user has to pay for the items in their shopping basket, changing this value exposes the server to the risk of making the attacker pay less than the supposed price. • The process of tampering with the value of cookies is called cookie poisoning, and is sometimes used after cookie theft to make an attack persistent.
Defend against Cookie Poisoning • Most websites, however, only store a session identifier — a randomly generated unique number used to identify the user's session — in the cookie itself, while all the other information is stored on the server. In this case, the problem of cookie poisoning is largely eliminated.
Request a Web Page • Transfer of Web pages follows the HyperText Transfer Protocol (HTTP). Regardless of cookies, browsers request a page from web servers by sending them a short text called HTTP request. • For example, to access the page http://www.w3.org/index.html, browsers connect to the server www.w3.org sending it a request that looks like the following one: GET /index.html HTTP/1.1 server browser
Send back the Requested Page and a Cookie • The server replies by sending the requested page preceded by a similar packet of text, called HTTPheader. This packet may contain lines requesting the browser to store cookies. • The line Set-cookie is only sent if the server wishes the browser to store a cookie. Indeed, it is a request for the browser to store the string name=value and send it back in all future requests to the server. HTTP/1.1 200 OKSet-Cookie: name=valueContent-type: text/html(content of page) server browser
Request More Web Pages with the Cookies • If the browser supports cookies and cookies are enabled, every subsequent page request to the same server contains the cookie. • For example, the browser requests the page http://www.w3.org/spec.html by sending the server www.w3.org a request like the following. • This is a request for another page from the same server, and differs from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well. GET /spec.html HTTP/1.1Cookie: name=valueAccept: */* server browser
Reset the Cookie • The value of a cookie can be modified by the server by sending a new Set-Cookie: name=newvalue line in response of a page request. The browser then replaces the old value with the new one.
Cookie Attributes • Beside the name/value pair, a cookie may also contain an expiration date, a path, a domain name, and whether the cookie is intended only for encrypted connections. • RFC 2109 also specifies that cookies must have a mandatory version number, but this is usually omitted. • These pieces of data follow the name=newvalue pair and are separated by semicolons. • For example, a cookie can be created by the server by sending a line Set-Cookie: name=newvalue; expires=date; path=/; domain=.example.org.
The Domain and Path Attributes • The domain and path tell the browser that the cookie has to be sent back to the server when requesting URLs of a given domain and path. • If not specified, they default to the domain and path of the object that was requested. • As a result, the domain and path strings may tell the browser to send the cookie when it normally would not. • For security reasons, the cookie is accepted only if the server is a member of the domain specified by the domain string.
Cookie Theft Tool • xssproxy.pl