Page 1 of 1
Stringently protecting against cookie replay attacks
Posted: Fri Dec 05, 2008 12:41 pm
by mightymouse
I am implementing a "remember me" function and need a little help.
A site I am making allows users to use Javascript which of course gives them access to cookies. What I would like to do is prevent them using other peoples cookies to login to the site. I am already storing the MD5 hash of the browser agent in the database along with a unique random hash which the user also has in their cookies.
This current solution means an attacker must be using the same browser as the target, or sending a request using the exact browser agent string.
I am also regenerating the session ID randomly every 5 page visits, meaning the attackers cookie will expire quickly and become useless.
However, I would like to make it even more secure. Some ideas I had were using the first 3 characters of the IP address of the user and storing it in the database - I know some ISP providers IP addresses can change from request to request, but would the first 3 characters (e.g. 123 or 12.) ever realistically change?
I'm estimating that the above would prevent 75% of attacks, but I would ideally like to make it 100%. Does anyone have any ideas to further protect the cookie information?
Thanks!
Re: Stringently protecting against cookie replay attacks
Posted: Sat Dec 06, 2008 8:48 am
by Hannes2k
Hi,
. Does anyone have any ideas to further protect the cookie information?
Of course:
Do not allow users to insert their own JavaScript on your site!
Any protection would be useless, if a user can insert JavaScript in your site. So
please disable it. There are so much more security vulnerabilities than just cookie replay attacks if an attacker can insert JavaScript in your site.
Re: Stringently protecting against cookie replay attacks
Posted: Sat Dec 06, 2008 8:55 am
by Syntac
Allowing users to run custom JavaScript is a massive security vulnerability.
Re: Stringently protecting against cookie replay attacks
Posted: Sat Dec 06, 2008 11:26 am
by mightymouse
Hannes2k wrote:Of course:
Do not allow users to insert their own JavaScript on your site!
Allowing the use of Javascript is a major part of the site, though, one which ties it altogether. Note, however, that your average Joe cannot execute Javascript on the site - it would have to be done by an admin or moderator.
What I would be ideally looking for is some way that a cookie could reliably be only usable by a single computer, if one exists.
Re: Stringently protecting against cookie replay attacks
Posted: Sat Dec 06, 2008 12:31 pm
by Hannes2k
Hi,
this won't be possible. If you implement a 'remember me' function with cookies, it could always be abused. But, if just admins/mods can insert JavaScript, where is the problem then?
And:
If someone can insert a malicious javascript into your site, each defence would be useless. You can read the cookies, so the 'remember me-cookie' as well as session id cookie could be stolen and abused. Input into formulars could easily be sniffed. The attacker can also let the user calling some pages (without his knowledge), like it is used in AJAX.
So if an attacker can insert JavaScript, he can easily steal the hole identity from the user and each countermeasure is useless. Because with JavaScript, you can say to the browser of the visitor: 'Call this page... call that page... Send this content...'.
It's also possible for the attacker to use the visitor as a proxy: The attacker can normaly surf on the internet, but each request is send by the visitor. So for your server it is absolutly impossible to dertimine if the regular user is calling a page or if the request comes from another person.
As you see, if you have the possibility to insert javascript into a page, you can do nearly everything.
Re: Stringently protecting against cookie replay attacks
Posted: Sat Dec 06, 2008 3:01 pm
by mightymouse
Hannes2k wrote:but, if just admins/mods can insert JavaScript, where is the problem then?
Because we will not have control over who the admins and mods are, and there could be hundreds of them.
Hannes2k wrote:If someone can insert a malicious javascript into your site, each defence would be useless. You can read the cookies, so the 'remember me-cookie' as well as session id cookie
We are using database sessions, so I can perform the same checks as the remember me cookie - namely browser checks and IP checks. Would that make a difference?
Re: Stringently protecting against cookie replay attacks
Posted: Sun Dec 07, 2008 4:59 am
by Hannes2k
Hi,
mightymouse wrote:
We are using database sessions, so I can perform the same checks as the remember me cookie - namely browser checks and IP checks. Would that make a difference?
Not realy. The attacker can create requests which are send by the user (using AJAX techniques), so that these request realy come from the user.
Browser and IP checks protects your site just against script kiddies.
Re: Stringently protecting against cookie replay attacks
Posted: Mon Dec 15, 2008 11:56 am
by kaisellgren
Hannes2k wrote:Hi,
this won't be possible. If you implement a 'remember me' function with cookies, it could always be abused. But, if just admins/mods can insert JavaScript, where is the problem then?
One problem is that are mods trustable? What if they use JavaScript to authenticate themselves as admins? I know... they would be very mean mods.
Re: Stringently protecting against cookie replay attacks
Posted: Fri Dec 19, 2008 9:55 pm
by josh
I dont see it as a problem, as long as javascript is only sent to the user who create it, he can only steal his own cookie. You can run arbitrary javascript on any site anyways by pasting it into your address bar. If you want to publicly output user generated javascript you'd have to write a parser... not recommended. You're better off writing a domain specific language and then translating that to an executable format.
Re: Stringently protecting against cookie replay attacks
Posted: Sun Dec 28, 2008 10:53 pm
by Ambush Commander
So, the usual solution when you want to allow untrusted users to run JavaScript is cordon them off to their own domain... so you'd get username.example.com.
You might be interested in Google Caja, which lets you put untrusted JavaScript inside your pages and still be secure.