160 likes | 171 Views
Learn about cookies, cross-site scripting attacks, and how attackers steal cookie information through a web browser vulnerability. Get hands-on experience with web hacking techniques.
E N D
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson
Lab 3 Goals • Learn what cookies are • Learn about Cross-Site Scripting Attacks • Learn what it means to steal cookie information • Get hands on experience with a web browser vulnerability
What are cookies? • Nope, not the kind you eat! ;) • The Kind that track you like a creepy stalker! • Cookies are data stored in a web browser • There many different “types” of cookies: • Session, Persistent/Tracking • Persistent cookies are cookies that will outlast user sessions and are used for a variety of reasons • Zombie Cookies that recreate themselves • Cookies identify who you are to a website • The website stores this information (like your username and password) to help provide you with the pages you view • They can be used to keep track and keep records of users browsing histories and activity
…. Are they Good or Bad? • Cookies can be tracked by third-parties and are used by advertising companies to track users across multiple sites and pages. • For example, in 2002 the CIA was leaving persistent cookies on computers who were visiting their sites. • In 2005, The NSA has also left persistent cookies from a software upgrade. • RFC 2965 specifies that browsers should protect user privacy and not allow third-party cookies by DEFAULT. • BUT most browsers ALLOW these third-party cookies by default. It is allowed because browsers and the third-party website has it stated in their Policies and agreements • For instance, Do you think Facebook should have the right to track your Google searches? Or any online activity?
Cross-site Scripting Attacks/XSS • These vulnerabilities would occur in the server-side code • They are vulnerabilities in Web Applications • XSS injects client-side script into web pages • There are different kinds of XSS attacks, but Lab 3 deals with cookie stealing through XSS • The injected code Steals a cookie that should be only exchanged between the server/client and is sent to another party
We will be using these Webhacking.zip Files • malURL.htm • Redirectpage.htm • Setgetcookie.htm • Stealcookie.php • Log.txt
Lab 3 Process • User first opens setgetcookie.htm on vulnerable site • Sets cookie • Attacker sends malURL.htm to user with malicious URLs in it • Clicking on them redirects user to redirectpage.htm • redirectpage.htm has script embedded in a html tag • Script inputs the document’s cookie to stealcookie.phpon attacker’s site • Stealcookie.phplogs the cookie on attacker’s site
malURL.htm Hovering over each link with your cursor shows two different destinations. One is more deceiving and more likely to be opened/clicked on
Second Link: redirectpage.htm redirects to stealcookie.php <body> <?php $f = fopen("log.txt","a"); $cookie = "\n".$_GET['username']."\n"; fwrite($f, $cookie); fclose($f); ?> </body>
Log.txt • Stealcookie.php file stores the cookie into the log.txt file BAM!!! You’re HACKED!
Today: Changes and Threats • Lab 3 is only an example of the general process of XSS cookie stealing and would not work in real world because of an increase in the web browsing security. • Modern browsers are more sophisticated now and don’t relocate to new sites without permission and they filter out scripts from links • But hackers come up new ways around these features EVERYDAY • Which is why it is so important to update all of your software regularly. • Examples of cookie stealing: • Malicious links through instant messengers, emails, spam, Facebook, disguised websites, disguised links • Web browsing and clicking on malicious links • Injected sophisticated scripting code to trick users
Real World Cookie Stealing Example • Facebook cookie stealing Example: • You can capture packets using a free network packet analyzer • This is where you can Find a “cookie” over an internet connection • You’ll need other applications as well like Firefox, greasemonkey, and cookieinjector script • This example gives you access to their account but doesn’t give you their credentials • Only works if Facebook connection is HTTP • Prevented by using HTTPS which you can enable in your Browser under Account Settings>Security
Preventing cookie stealing • Using HTTPS encrypts and protects • Web Vulnerability Scanners Choosing to “Remember Me” uses • Google uses similar cookies for its services • Detecting suspicious activity on server side • Requiring Re-authentication • Cookies are browser specific • Browser Fingerprint • Change Browser Settings to tell websites not to track you