Hi all,
is there any (opensource) asp.net implementation (in the form of an httphandler or other) for the following paper: http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
greetings, Tim
views:
46answers:
1
A:
This paper is making the assumption that an HMAC+Symmetric Cipher is sufficient for defending against all attacks against an HTTP session. This is an incorrect assumption as this still leaves the door open to MITM attacks. Further this purposed cryptographic system is better implemented as block cipher in CMAC mode, but this is equally vulnerable.
Without protecting the actual HTTP content you open the door to an xss style attack. An attacker would forward the traffic normally, but append some malicious javascript to conduct its own requests using XHR. This is assuming that other basic session security systems are in place such as "HTTP-Only" cookies.
In short, yes there is an open source protocol that protects your session from all attacks. Its SSL! SSL uses a PKI to deafened against MITM, and this is by far the best solution. HTTPS is required to be used throughout the entire session and this is a requirement of the OWASP top 10 Broken Authentication and Session Management.
Rook
2010-05-12 16:38:43
the paper states clearly that SSL is required for their solution, also since the ssl session id is used in the hash.... this paper solves replay attacks with cookies, something your link does not handle...
Tim Mahy
2010-05-12 17:50:41
@Tim Mahy yeah I didn't read the entire paper. So then whats stopping someone from riding on the session with XHR or CSRF? This is the same attack used to defeat "HTTP-Only Cookies", which sounds like a more solid fix to this problem.
Rook
2010-05-12 17:55:46
So then whats stopping someone from riding on the session with XHR or CSRF?setting the secured cookie with Http-Only also, for a MITM attack it is required to hack in the SSL session, but if the thief can do this then there is no such thing as security left. SSL only does not defend you from a replay attack in which a thief resends the cookie on his SSL connection after stealing it from a victim...
Tim Mahy
2010-05-14 14:06:57
@Tim Mahy i think you misunderstood my point. If you have an XSS vulnerability then an attacker can use XHR to "ride" on the session. This can be used to change the users password or force the user to login in your usual CSRF style attacks. XSS+XHR can be used to bypass CSRF protection, and here is an exploit that i wrote that does this (http://www.milw0rm.com/exploits/7922). This is the best attack to use against an application using this proposed "secure cookie protocol", "HTTP-Only Cookie" and CSRF Protection, all three are bypassed. Its a moot point, just use existing systems.
Rook
2010-05-14 18:43:08