Lab 3

Cookie Stealing using XSSKara James, Chelsea Collins, Trevor Norwood, David Johnson

Lab 3

Goals• Learn what cookies are • Learn about Cross-Site Scripting Attacks• Learn what it means to steal cookie

information• Get hands on experience with a web

browser vulnerability

What are cookies? • Nope, not the kind you eat! ;) • The Kind that track you like a creepy stalker!• Cookies are data stored in a web browser• There many different “types” of cookies:• Session, Persistent/Tracking• Persistent cookies are cookies that will outlast user sessions

and are used for a variety of reasons • Zombie Cookies that recreate themselves

• Cookies identify who you are to a website• The website stores this information (like your username

and password) to help provide you with the pages you view• They can be used to keep track and keep records of

users browsing histories and activity

…. Are they Good or Bad?• Cookies can be tracked by third-parties and are used by

advertising companies to track users across multiple sites and pages. • For example, in 2002 the CIA was leaving persistent cookies on

computers who were visiting their sites. • In 2005, The NSA has also left persistent cookies from a software

upgrade.

• RFC 2965 specifies that browsers should protect user privacy and not allow third-party cookies by DEFAULT. • BUT most browsers ALLOW these third-party cookies by

default. It is allowed because browsers and the third-party website has it stated in their Policies and agreements• For instance, Do you think Facebook should have the right

to track your Google searches? Or any online activity?

Cross-site Scripting Attacks/XSS

• These vulnerabilities would occur in the server-side code• They are vulnerabilities in Web Applications• XSS injects client-side script into web pages• There are different kinds of XSS attacks, but Lab 3

deals with cookie stealing through XSS• The injected code Steals a cookie that should be

only exchanged between the server/client and is sent to another party

We will be using these Webhacking.zip Files

•malURL.htm•Redirectpage.htm• Setgetcookie.htm• Stealcookie.php• Log.txt

Lab 3 Process

1. User first opens setgetcookie.htm on vulnerable site2. Sets cookie3. Attacker sends malURL.htm to user with malicious URLs in it

4. Clicking on them redirects user to redirectpage.htm5. redirectpage.htm has script embedded in a html tag6. Script inputs the document’s cookie to stealcookie.php on

attacker’s site7. Stealcookie.php logs the cookie on attacker’s site

setgetcookie.htm

malURL.htm

malURL.htm

Hovering over each link with your cursor shows two different destinations.

One is more deceiving and more likely to be opened/clicked on

Second Link: redirectpage.htm redirects to stealcookie.php

<body><?php$f = fopen("log.txt","a");$cookie = "\n".$_GET['username']."\n";fwrite($f, $cookie);fclose($f);?></body>

Log.txt

• Stealcookie.php file stores the cookie into the log.txt file

BAM!!!You’re HACKED!

Today: Changes and Threats• Lab 3 is only an example of the general process of XSS cookie

stealing and would not work in real world because of an increase in the web browsing security. • Modern browsers are more sophisticated now and don’t

relocate to new sites without permission and they filter out scripts from links• But hackers come up new ways around these features EVERYDAY • Which is why it is so important to update all of your software regularly.

• Examples of cookie stealing: • Malicious links through instant messengers,

emails, spam, Facebook, disguised websites, disguised links• Web browsing and clicking on malicious links• Injected sophisticated scripting code to trick users

Real World Cookie Stealing Example• Facebook cookie stealing Example:• You can capture packets using a free network

packet analyzer• This is where you can Find a “cookie” over an internet connection

• You’ll need other applications as well like Firefox, greasemonkey, and cookieinjector script• This example gives you access to their account

but doesn’t give you their credentials• Only works if Facebook connection is HTTP• Prevented by using HTTPS which you can enable

in your Browser under Account Settings>Security

Preventing cookie stealing

• Using HTTPS encrypts and protects• Web Vulnerability ScannersChoosing to “Remember Me” uses • Google uses similar cookies for its services• Detecting suspicious activity on server side• Requiring Re-authentication• Cookies are browser specific• Browser Fingerprint• Change Browser Settings to tell websites not to

track you

Any Questions?