[Toc]

Cookie基礎

• 用于保持HTTP會話狀態/緩存信息
• 由服務器/瀏覽器（腳本）寫入
• Server:
• Set-Cookie: user=bob; domain=.bank.com; path=/;
• JS:
  document.cookie=“user=bob; domain=.bank.com; path=/;”;
• 存儲于瀏覽器/傳輸于HTTP頭部
  • HTTP頭中
    • Cookie: user=bob; cart=books;
  • JS讀取:
    • console.log(document.cookie);寫時帶屬性，讀時無屬性
• 屬性
  • name/domain/path/httponly/secure/expire …
• 三元組
  • [name, domain, path]：確定唯一Cookie name, domain, path任一不同，則Cookie不同
    • Server————————————————————Browser

      • Set-Cookie: session=bob; domain=.bank.com; path=/; session=bob;

      • Set-Cookie: session=alice; domain=.bank.com; path=/ ;session=alice;

      • Set-Cookie: session=jack; domain=.bank.com; path=/pay;session=alice; session=jack;

Cookie泄露

圖片.png

Cookie泄露:HTTPS保護

圖片.png

Cookie基礎：同源策略（SOP）

• Web SOP: [protocol, domain, port]

  • http://www.bank.com
  • http://www.bank.com:8080
  • https://www.bank.com

• 非同源（受SOP隔離保護）

• Cookie SOP: [domain, path]

  • 僅以domain/path作為同源限制
  • 不區分端口
  • 不區分HTTP / HTTPS
    • Cookie: session=secret; domain=.bank.com; path=/;
    • http://bank.com
    • https://bank.com

Cookie SOP：Domain向上通配

• 在對Cookie讀寫時，以“通配”的方式判斷Domain是否有效
  • 寫入：
• 當頁面為 http://www.bank.com 時：
  • Set-Cookie: user1=aaa; domain=.bank.com; path=/;接受
  • Set-Cookie: user2=bbb; domain=www.bank.com; path=/;接受
  • Set-Cookie: user3=ccc; domain=.www.bank.com; path=/;接受
  • Set-Cookie: user4=ddd; domain=other.bank.com; path=/;拒絕
  • 讀取：
  • 訪問 http://www.bank.com
    • Cookie: user1=aaa; user2=bbb; user3=ccc;
  • 訪問 http://user.bank.com
    • Cookie: user1=aaa;

Cookie SOP：Path向下（后）通配

• Set-Cookie: session=bob; domain=.bank.com; path=/;
• Set-Cookie: cart=books; domain=.bank.com; path=/buy/;
  • http://bank.com/
  • Cookie: session=bob;
  • http://bank.com/buy/
  • Cookie: session=bob; cart=books;

Cookie泄露：HTTPS Session

圖片.png

HTTPS Cookie：Secure Flag防護

• RFC: 帶有Secure屬性的Cookie僅能在HTTPS會話中傳輸

圖片.png

Secure Flag：缺乏完整性保護

• RFC 6265:
  Although seemingly useful for protecting cookies from active network attackers,
  the Secure attribute protects only the cookie’s confidentiality.
  An active network attacker can overwrite Secure cookies from an insecure channel,
  disrupting their integrity

圖片.png

Secure Cookie：注入/覆蓋

注入.png

Cookie注入：Authenticated-as-Attacker

• CSRF Login

圖片.png

• BARTH, A., JACKSON, C., Robust De-fenses for Cross-Site Request Forge

Auth-as-Attacker ：易察覺

圖片.png

• BARTH, A., JACKSON, C., Robust De-fenses for Cross-Site Request Forgery

Cookie注入：XSS/SQLi

• Set-Cookie: inject=abc”+alert(‘xss’)+”;domain=.amazon.cn; path=/;

圖片.png

Cookie注入：XSS/SQLi

• Cookie反射
  • Html/JS/JSON/XML
• 參與JavaScript運算
• 渲染到DOM
• 參與Server端運算

圖片.png