tags:

views:

199

answers:

3
+5  Q: 

Mitigating the 'firesheep' attack in the application layer?

What methodologies do people recommend for mitigating the 'Firesheep' method for website applications?

We have thought about this and from a usability perspective, other than encrypting all traffic to a site, mitigating the attack can be somewhat of a problem for web developers.

One suggestion we came up with was to use path based cookies, and encrypt traffic for a specific path where account operations or personalised interaction happens. This however complicates usability however, in as much as the rest of the site (the un-encrypted - un-authenticated) bit does not know who the user would be.

Does anyone have any other suggestions for mitigating this vector of attack, while maintaining a usable level of usability?

+6  A: 

Firesheep is nothing new. Session hijacking has been going on for more than two decades. You don't need "encrypt" your cookie, thats handled by your transport layer. Cookies must always be a cryptographic nonce.

Usually hackers just set their own cookie by typing this into the address bar javascript:document.cookie='SOME_COOKIE', FireSheep is for script kiddies that fear 1 line of JavaScript. But it really doesn't make this attack any easier to perform.

Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is apart of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.

1)Use httponly cookies. (Makes it so JavaScript cannot access document.cookie, but you can still do session riding with xss)

2)Use "secure cookies" (Horrible name, but its a flag that forces the browser to make the cookie HTTPS only.)

3)Scan your web application for xss using Acunetix(free) or wapiti (open source)

Also don't forget about CSRF! (Which firesheep doesn't address)

Rook  2010-10-25 18:04:36
Yes. It's nothing new. The New as you mention is that the skript kiddies can get in on the act. Which is why it's potentially such a problem. I want to protect my users.
pobk  2010-10-25 18:07:38
@pobk You should be enabling these security features before Firesheep. This tool doesn't change anything.
Rook  2010-10-25 18:15:23
Our application is as secure as we can make it (it complies with PCI DSS)... We're just looking beyond at protecting our users.
pobk  2010-10-25 18:21:32
@pobk The pci-dss does require regular scans, but is your web appreciation enabling the 2 cookie flags I talked about?
Rook  2010-10-25 18:29:19
Secure cookies are not enabled since the session is used for personalisation. We don't want to run the entire site from HTTPS... that would be a nightmare for usability. Usability and site personalisation becomes infinitely more difficult.
pobk  2010-10-25 19:36:54
Confused, why is https less usable? Unless you have self-signed certificates (so don't do that then - there are cheap CAs) it's basically transparent to the end-user
telent  2010-10-26 12:23:18
@pobk With this application design you will always be vulnerable to firesheep and always violating OWASP. HTTPS is the only method to protect your self. SSL is a very light weight protocol, the handshake is cached and cipher text does not add additional bandwidth.
Rook  2010-10-26 16:28:13
A: 

Has anybody tried taking advantage of the "Web Storage" in HTML 5 to store a shared key (passed during SSL-encrypted responses during authentication) that is used by javascript to alter the session cookie over time? That way, the stolen (unencrypted) session cookies would only be valid for a short amount of time.

My guess is that Web Storage is segmented by port (in addition to host), so it wouldn't be possible. Just throwing that idea out there in case anybody wants to run with it.

arscan  2010-10-26 20:10:40

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security