RE: How to protect against cookie stealing?

How effective is the browser security model?

I'm thinking of a control (ActiveX or Java, possibly JavaScript in a hidden frame that persists for the duration of the session) that holds the user's secret, and provides an authentication token for any request that is submitted to the server that requires auth. The token would be dependent on the parameters being passed, and would effectively be a "signature" of the parameters. Actual implementation is left as an exercise for the reader :-)

So, a request for an account balance would sign a nonce and the account reference, the server would verify the signature, and return the page requested. A request to transfer funds would sign a nonce, the destination account details, the amount, etc before sending that to the server.

My concern is that, even if the server operator manages to completely secure their own site against XSS (as you rightly indicate that the attacker could get your own browser to submit what is needed to exploit you), other sites nominally in your domain (same .domain.com) could still access the control, and "sign requests" in your name. I seem to recall an advisory about this possibility on this list a while back.

Benefits of this approach:

• Well, it addresses Kevin's concerns that we transmit the shared secret when we make a request
• we could remove the "this site requires cookies" angle, possibly.

Downsides

• Well, we now have the "Site requires active content and scripting" angle :-(
• mathematical complexity slows performance?

Comments? Thoughts?

Rogan

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

P.S. I implemented Secure Remote Password using a similar approach (Java applet in a hidden frame). SRP provides a method of authenticating oneself without actually passing the passwords across. It also provides for the establishment of a shared secret without passing the secret across. This secret could be used to encrypt the parameters, and replace them with an encrypted version. If the parameters decrypt OK, they are obviously valid. If not, discard and alert.

P.P.S Unfortunately I lost my SRP code :-( , but it was not too difficult for a Java novice to do, so it should be trivial to redo :-)

> -----Original Message-----
> From: Marc Slemko [mailto:marcs@znep.com]
> Sent: 27 July 2003 06:32 PM
> To: webappsec@securityfocus.com
> Subject: Re: How to protect against cookie stealing?
>
>
> Why are people going off on increasingly wild and completely

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre(at)Deloitte.co.za. Received on Mon Jul 28 07:52:42 2003