Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca Ada Popa Nov 10, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Announcements Proj 3 due on Thur, Nov 17 Recall: Cookie scope GET … Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (when to send) ; scope path = (when to send) secure = (only send over SSL); expires = (when expires) ; HttpOnly • EXpires is expiration date • Delete cookie by setting “expires” to date in past • HttpOnly: cookie cannot be accessed by Javascript, but only sent by browser Recall: What scope a server may set for a cookie domain: any domain-suffiX of URL-hostname, except TLD [top-level domains, e.g. ‘.com’] example: host = “login.site.com” allowed domains disallowed domains login.site.com user.site.com .site.com othersite.com .com path: can be set to anything Recall: When browser sends cookie Server GET //URL-domain/URL-path Cookie: NAME = VALUE A cookie with domain = example.com, and path = /some/path/ will be included on a request to http://foo.example.com/some/path/subdirectory/hello.tXt Client side read/write: document.cookie Setting a cookie in Javascript: document.cookie = “name=value; expires=…; ” Reading a cookie: alert(document.cookie) prints string containing all cookies available for document (based on [protocol], domain, path) Deleting a cookie: document.cookie = “name=; expires= Thu, 01-Jan-00” document.cookie often used to customize page in Javascript Viewing/deleting cookies in Browser UI FirefoX: Tools -> page info -> security -> view cookies Sessions Sessions A sequence of requests and responses from one browser to one (or more) sites n Session can be long (Gmail - two weeks) or short (e.g., banking) n without session mgmt: users would have to constantly re-authenticate Session management: n Authorize user once; n All subsequent requests are tied to user Pre-history: HTTP auth HTTP request: GET /indeX.html HTTP response contains: WWW-Authenticate: Basic realm="Password Required“ https://cs161.berkeley.edu Browsers sends hashed password on all subsequent HTTP requests: Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ= What problems can you see with this moDel? HTTP auth problems Hardly used in commercial sites n User cannot log out other than by closing browser w What if user has multiple accounts? w What if multiple users on same computer? n Site cannot customize password dialog n Confusing dialog to users n Easily spoofed Session tokens Browser Web Site GET /indeX.html set anonymous session token GET /books.html anonymous session token POST /do-login check Username & password creDentials elevate to a logged-in session token POST /checkout logged-in session token ValiDate token Storing session tokens: Lots of options (but none are perfect) • Browser cookie: Set-Cookie: SessionToken=fduhye63sfdb • Embedd in all URL links: https://site.com/checkout ? SessionToken=kh7y3b • In a hidden form field: <input type=“hidden” name=“sessionid” value=“kh7y3b”> Can you see problems with these? Storing session tokens: problems • Browser cookie: browser sends cookie with every request, even when it should not (see CSRF attack) • Embed in all URL links: token leaks via HTTP Referer header (your browser tells a site which previous site it visited last in the Referer header, which may contain session tokens) • In a hidden form field: short sessions only Best answer: a combination of all of the above. Cross Site Request Forgery RN Release Notes RNRNRN ReleaseRelease Notes NotesNotes What Changed From 2010 to 2013? WhatWhat Changed From 2010 toto 2013?2013? WhatThe threat Changed landscape for From applications 2010 security to constantly2013? changes. Key factors in this evolution are advances made by attackers, ThetheTheThe releasethreat threatthreat landscape oflandscape new technologies for for applications applications with security new security weaknesses constantly constantlyconstantly as changes. changes.wellchanges. as Keymore Key Key factors factors builtfactors in in defenses,thisin this this evolution evolution evolution and arethe are are advances deployment advances advances made made madeof byincreasingly by attackeby attacke attackers, rs, rs, thecomplexthethe release releaserelease systems. of ofof new new Totechnologies technologies keep pace, with wewith periodicallynew newnew weaknesses weaknessesweaknesses update as as aswellthe wellwell OWASPas as asmore more more Top built built built 10. in in defenses,Inin defenses, thisdefenses, 2013 and and release,and the the the deployment deployment wedeployment made ofthe ofincreasingly of followingincreasingly increasingly changes: complex complexcomplex systems. systems. To To keep keep pace, pace, we we periodically periodically update updateupdate the thethe OWASP OWASPOWASP Top Top Top 10. 10. 10. In In thisIn this this 2013 2013 2013 release, release, release, we we wemade made made the the the following following following changes: changes: changes: 1) Broken Authentication and Session Management moved up in prevalence based on our data set. We believe this is probably 1)1)1) BrokenbecauseBrokenBroken Authentication Authenticationthis area is being and and lookedSession Session at Management Managementharder,Management not becausemoved movedmoved up these upup in in prevalencein prevalence issuesprevalence are based actually based based on on onmoreour our our data prevalent.data data set. set. set. We We We Thisbelieve believe believe caused this this this isRisks probablyis is probably probablyA2 and becauseA3becausebecause to switch this this area places. area is isbeing being looked looked at at harder, harder,harder, not notnot because becausebecause these thesethese issues issues issues are are are actually actually actually more more more prevalent. prevalent. prevalent. This This This caused caused caused Risks Risks Risks A2 A2 andA2 and and A3 A3A3 to toto switch switch places. places. 2) Cross -Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe 2)2)2) CrossthisCrossCross is-Site -because-Site Request Request CSRF Forgery Forgery has been (CSRF) (CSRF) in the moved movedmoved OWASP down downdown Top in in inprevalence10 prevalenceprevalence for 6 years, based basedbased and on organizationson on our our our data data data set set set fromand from from framework 2010 2010 2010-A5-A5- A5to developersto 2013to 2013 2013-A8.-A8.- A8.We have We Webelieve believe focused believe thisonthisthis it is isenoughis because becausebecause to CSRF CSRFsignificantly has has been been reduce in in the thethe OWASPthe OWASPOWASP number Top TopTop 10 of 1010 forCSRF forfor 6 6years,6vulnerabilities years,years, and and and organizations organizations organizations in real world and and and applications.framework framework framework developers developers developers have have have focused focused focused on onon it it itenough enough to to significantly significantly reduce reduce the thethe number numbernumber of of ofCSRF CSRFCSRF vulnerabilities vulnerabilitiesvulnerabilities in inrealin real real world world world applications. applications. applications. 3) We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive: 3)3)3) We WeWe broadened broadened Failure Failure to to Restrict Restrict URL URL Access AccessAccess from fromfrom the thethe 2010 20102010 OWASP OWASPOWASP Top Top Top 10 10 10to to beto be bemore more more inclusive: inclusive: inclusive: + 2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function +++ 2010level2010- A8:access-A8: Failure Failure control. to to Restrict RestrictThere URLare URL manyAccess AccessAccess ways is isnowis nownowto 2013specify 20132013-A7:- -A7:whichA7: Missing MissingMissing function Function Function Function is being Level Level Level accessed, Access Access Access Control Controlnot Control just – to –the – to cover to URL.cover cover all all of all offunction of function function levellevellevel access accessaccess control. control. There There are areare many manymany ways waysways to to tospecify specifyspecify which whichwhich function function function is isbeing is being being accessed, accessed, accessed, not not not just just just the the the URL. URL. URL. 4) We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure: 4) 4)4) WeWeWe merged merged and and broadened broadened 2010 2010-A7--A7 & &&2010 20102010-A9--A9A9 to to toCREATE: CREATE:CREATE: 2013 2013 2013-A6:--A6:A6: Sensitive Sensitive Sensitive Data Data Data Exposure Exposure Exposure: : : – This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 - Insufficient Transport ––– ThisThis new new category category was was created created by byby merging mergingmerging 2010 20102010-A7--A7A7 – Insecure–– InsecureInsecure Cryptographic Cryptographic Cryptographic Storage Storage Storage & &2010 & 2010 2010-A9-A9- A9- Insufficient - -Insufficient Insufficient Transport Transport Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data LayerLayer Protection, Protection, plus plus adding adding browser browserbrowser side sideside sensitive sensitivesensitive data datadata risks risks risks as as aswell. well. well. This This This new new new category category category covers covers covers sensitive sensitive sensitive data data data protection