(In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie Flags

Hyunsoo Kwon; Hyunjae Nam; Sangtae Lee; Changhee Hahn; Junbeom Hur

doi:10.1109/TIFS.2019.2938416

(In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie Flags

Hyunsoo Kwon, Hyunjae Nam, Sangtae Lee, Changhee Hahn, Junbeom Hur

Department of Computer Science and Engineering

Research output: Contribution to journal › Article › peer-review

5 Citations (Scopus)

Abstract

HyperText Transfer Protocol (HTTP) cookies are widely used on the web to enhance communication efficiency between a client and a server by storing stateful information. However, cookies may contain private and sensitive information about users. Thus, in order to guarantee the security of cookies, most web browsers and servers support not only Transport Layer Security (TLS) but also other mechanisms such as HTTP Strict Transport Security and cookie flags. However, a recent study has shown that it is possible to circumvent cookie flags in HTTPS by exploiting a vulnerability in HTTP software that allows message truncation. In this paper, we propose a novel cookie hijacking attack called rotten~cookie which deactivates cookie flags even if they are protected by TLS by exploiting a weakness in HTTP in terms of integrity checks. According to our investigation, all major browsers ignore uninterpretable sections of the header of HTTP response messages and accept incorrect formats without any rejection. We demonstrate that, when combined with TLS or application vulnerabilities, this form of attack can obtain private cookies by removing cookie flags. Thus, the attacker can impersonate a legitimate user in the eyes of the server when cookies are used as an authentication token. We prove the practicality of our attack by demonstrating that our attack can lead five major web browsers to accept a cookie without any cookie flags. We thus present a mitigation strategy for the transport layer to preserve cookie security against our attack.

Original language	English
Article number	8820079
Pages (from-to)	1204-1215
Number of pages	12
Journal	IEEE Transactions on Information Forensics and Security
Volume	15
DOIs	https://doi.org/10.1109/TIFS.2019.2938416
Publication status	Published - 2020

Bibliographical note

Funding Information:
Manuscript received May 29, 2018; revised January 29, 2019, June 21, 2019 and August 6, 2019; accepted August 13, 2019. Date of publication August 29, 2019; date of current version December 11, 2019. This work was supported in part by the Institute of Information & Communications Technology Planning & Evaluation (IITP) Grant funded by the Korea Government (MSIT) under Grant 2019-0-00533 (Research on CPU Vulnerability Detection and Validation) and in part by the Research Fund of Signal Intelligence Research Center supervised by the Defense Acquisition Program Administration and the Agency for Defense Development, South Korea. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Issa Traore. (Hyunsoo Kwon, Hyunjae Nam, and Sangtae Lee contributed equally to this work.) (Corresponding author: Junbeom Hur.) The authors are with the Department of Computer Science and Engineering, Korea University, Seoul 156-756, South Korea (e-mail: hs_kwon@korea.ac.kr; niceotor13@korea.ac.kr; tkdxo0624@korea.ac.kr; hahn850514@korea.ac.kr; jbhur@korea.ac.kr). Digital Object Identifier 10.1109/TIFS.2019.2938416

Publisher Copyright:
© 2005-2012 IEEE.

Keywords

Cookie theft attack
SSL/TLS
hypertext transfer protocol

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Computer Networks and Communications

Access to Document

10.1109/TIFS.2019.2938416

Cite this

@article{126afa5664714084a2e0a912e71c6af8,

title = "(In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie Flags",

abstract = "HyperText Transfer Protocol (HTTP) cookies are widely used on the web to enhance communication efficiency between a client and a server by storing stateful information. However, cookies may contain private and sensitive information about users. Thus, in order to guarantee the security of cookies, most web browsers and servers support not only Transport Layer Security (TLS) but also other mechanisms such as HTTP Strict Transport Security and cookie flags. However, a recent study has shown that it is possible to circumvent cookie flags in HTTPS by exploiting a vulnerability in HTTP software that allows message truncation. In this paper, we propose a novel cookie hijacking attack called rotten~cookie which deactivates cookie flags even if they are protected by TLS by exploiting a weakness in HTTP in terms of integrity checks. According to our investigation, all major browsers ignore uninterpretable sections of the header of HTTP response messages and accept incorrect formats without any rejection. We demonstrate that, when combined with TLS or application vulnerabilities, this form of attack can obtain private cookies by removing cookie flags. Thus, the attacker can impersonate a legitimate user in the eyes of the server when cookies are used as an authentication token. We prove the practicality of our attack by demonstrating that our attack can lead five major web browsers to accept a cookie without any cookie flags. We thus present a mitigation strategy for the transport layer to preserve cookie security against our attack. ",

keywords = "Cookie theft attack, SSL/TLS, hypertext transfer protocol",

author = "Hyunsoo Kwon and Hyunjae Nam and Sangtae Lee and Changhee Hahn and Junbeom Hur",

note = "Funding Information: Manuscript received May 29, 2018; revised January 29, 2019, June 21, 2019 and August 6, 2019; accepted August 13, 2019. Date of publication August 29, 2019; date of current version December 11, 2019. This work was supported in part by the Institute of Information & Communications Technology Planning & Evaluation (IITP) Grant funded by the Korea Government (MSIT) under Grant 2019-0-00533 (Research on CPU Vulnerability Detection and Validation) and in part by the Research Fund of Signal Intelligence Research Center supervised by the Defense Acquisition Program Administration and the Agency for Defense Development, South Korea. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Issa Traore. (Hyunsoo Kwon, Hyunjae Nam, and Sangtae Lee contributed equally to this work.) (Corresponding author: Junbeom Hur.) The authors are with the Department of Computer Science and Engineering, Korea University, Seoul 156-756, South Korea (e-mail: hs_kwon@korea.ac.kr; niceotor13@korea.ac.kr; tkdxo0624@korea.ac.kr; hahn850514@korea.ac.kr; jbhur@korea.ac.kr). Digital Object Identifier 10.1109/TIFS.2019.2938416 Publisher Copyright: {\textcopyright} 2005-2012 IEEE.",

year = "2020",

doi = "10.1109/TIFS.2019.2938416",

language = "English",

volume = "15",

pages = "1204--1215",

journal = "IEEE Transactions on Information Forensics and Security",

issn = "1556-6013",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - (In-)Security of Cookies in HTTPS

T2 - Cookie Theft by Removing Cookie Flags

AU - Kwon, Hyunsoo

AU - Nam, Hyunjae

AU - Lee, Sangtae

AU - Hahn, Changhee

AU - Hur, Junbeom

N1 - Funding Information: Manuscript received May 29, 2018; revised January 29, 2019, June 21, 2019 and August 6, 2019; accepted August 13, 2019. Date of publication August 29, 2019; date of current version December 11, 2019. This work was supported in part by the Institute of Information & Communications Technology Planning & Evaluation (IITP) Grant funded by the Korea Government (MSIT) under Grant 2019-0-00533 (Research on CPU Vulnerability Detection and Validation) and in part by the Research Fund of Signal Intelligence Research Center supervised by the Defense Acquisition Program Administration and the Agency for Defense Development, South Korea. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Issa Traore. (Hyunsoo Kwon, Hyunjae Nam, and Sangtae Lee contributed equally to this work.) (Corresponding author: Junbeom Hur.) The authors are with the Department of Computer Science and Engineering, Korea University, Seoul 156-756, South Korea (e-mail: hs_kwon@korea.ac.kr; niceotor13@korea.ac.kr; tkdxo0624@korea.ac.kr; hahn850514@korea.ac.kr; jbhur@korea.ac.kr). Digital Object Identifier 10.1109/TIFS.2019.2938416 Publisher Copyright: © 2005-2012 IEEE.

PY - 2020

Y1 - 2020

N2 - HyperText Transfer Protocol (HTTP) cookies are widely used on the web to enhance communication efficiency between a client and a server by storing stateful information. However, cookies may contain private and sensitive information about users. Thus, in order to guarantee the security of cookies, most web browsers and servers support not only Transport Layer Security (TLS) but also other mechanisms such as HTTP Strict Transport Security and cookie flags. However, a recent study has shown that it is possible to circumvent cookie flags in HTTPS by exploiting a vulnerability in HTTP software that allows message truncation. In this paper, we propose a novel cookie hijacking attack called rotten~cookie which deactivates cookie flags even if they are protected by TLS by exploiting a weakness in HTTP in terms of integrity checks. According to our investigation, all major browsers ignore uninterpretable sections of the header of HTTP response messages and accept incorrect formats without any rejection. We demonstrate that, when combined with TLS or application vulnerabilities, this form of attack can obtain private cookies by removing cookie flags. Thus, the attacker can impersonate a legitimate user in the eyes of the server when cookies are used as an authentication token. We prove the practicality of our attack by demonstrating that our attack can lead five major web browsers to accept a cookie without any cookie flags. We thus present a mitigation strategy for the transport layer to preserve cookie security against our attack.

AB - HyperText Transfer Protocol (HTTP) cookies are widely used on the web to enhance communication efficiency between a client and a server by storing stateful information. However, cookies may contain private and sensitive information about users. Thus, in order to guarantee the security of cookies, most web browsers and servers support not only Transport Layer Security (TLS) but also other mechanisms such as HTTP Strict Transport Security and cookie flags. However, a recent study has shown that it is possible to circumvent cookie flags in HTTPS by exploiting a vulnerability in HTTP software that allows message truncation. In this paper, we propose a novel cookie hijacking attack called rotten~cookie which deactivates cookie flags even if they are protected by TLS by exploiting a weakness in HTTP in terms of integrity checks. According to our investigation, all major browsers ignore uninterpretable sections of the header of HTTP response messages and accept incorrect formats without any rejection. We demonstrate that, when combined with TLS or application vulnerabilities, this form of attack can obtain private cookies by removing cookie flags. Thus, the attacker can impersonate a legitimate user in the eyes of the server when cookies are used as an authentication token. We prove the practicality of our attack by demonstrating that our attack can lead five major web browsers to accept a cookie without any cookie flags. We thus present a mitigation strategy for the transport layer to preserve cookie security against our attack.

KW - Cookie theft attack

KW - SSL/TLS

KW - hypertext transfer protocol

UR - http://www.scopus.com/inward/record.url?scp=85071657168&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2019.2938416

DO - 10.1109/TIFS.2019.2938416

M3 - Article

AN - SCOPUS:85071657168

SN - 1556-6013

VL - 15

SP - 1204

EP - 1215

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

M1 - 8820079

ER -

(In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie Flags

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this