Web应用中Cookie相关安全问题研究—

[Toc]

Cookie基础

用于保持HTTP会话状态/缓存信息
由服务器/浏览器（脚本）写入
Server:
Set-Cookie: user=bob; domain=.bank.com; path=/;
JS:
document.cookie=“user=bob; domain=.bank.com; path=/;”;
存储于浏览器/传输于HTTP头部
- HTTP头中
  - Cookie: user=bob; cart=books;
- JS读取:
  - console.log(document.cookie);写时带属性，读时无属性
属性
- name/domain/path/httponly/secure/expire …
三元组
- [name, domain, path]：确定唯一Cookie name, domain, path任一不同，则Cookie不同
  - Server————————————————————Browser
    - Set-Cookie: session=bob; domain=.bank.com; path=/; session=bob;
    - Set-Cookie: session=alice; domain=.bank.com; path=/ ;session=alice;
    - Set-Cookie: session=jack; domain=.bank.com; path=/pay;session=alice; session=jack;

Cookie泄露

图片.png

Cookie泄露:HTTPS保护

图片.png

Cookie基础：同源策略（SOP）

Web SOP: [protocol, domain, port]
- http://www.bank.com
- http://www.bank.com:8080
- https://www.bank.com
非同源（受SOP隔离保护）
Cookie SOP: [domain, path]
- 仅以domain/path作为同源限制
- 不区分端口
- 不区分HTTP / HTTPS
  - Cookie: session=secret; domain=.bank.com; path=/;
  - http://bank.com
  - https://bank.com

Cookie SOP：Domain向上通配

在对Cookie读写时，以“通配”的方式判断Domain是否有效
- 写入：
当页面为 http://www.bank.com 时：
- Set-Cookie: user1=aaa; domain=.bank.com; path=/;接受
- Set-Cookie: user2=bbb; domain=www.bank.com; path=/;接受
- Set-Cookie: user3=ccc; domain=.www.bank.com; path=/;接受
- Set-Cookie: user4=ddd; domain=other.bank.com; path=/;拒绝
- 读取：
- 访问 http://www.bank.com
  - Cookie: user1=aaa; user2=bbb; user3=ccc;
- 访问 http://user.bank.com
  - Cookie: user1=aaa;

Cookie SOP：Path向下（后）通配

Set-Cookie: session=bob; domain=.bank.com; path=/;
Set-Cookie: cart=books; domain=.bank.com; path=/buy/;
- http://bank.com/
- Cookie: session=bob;
- http://bank.com/buy/
- Cookie: session=bob; cart=books;

Cookie泄露：HTTPS Session

图片.png

HTTPS Cookie：Secure Flag防护

RFC: 带有Secure属性的Cookie仅能在HTTPS会话中传输

图片.png

Secure Flag：缺乏完整性保护

RFC 6265:
Although seemingly useful for protecting cookies from active network attackers,
the Secure attribute protects only the cookie’s confidentiality.
An active network attacker can overwrite Secure cookies from an insecure channel,
disrupting their integrity

图片.png

Secure Cookie：注入/覆盖

注入.png

Cookie注入：Authenticated-as-Attacker

CSRF Login

图片.png

BARTH, A., JACKSON, C., Robust De-fenses for Cross-Site Request Forge

Auth-as-Attacker ：易察觉

图片.png

BARTH, A., JACKSON, C., Robust De-fenses for Cross-Site Request Forgery

Cookie注入：XSS/SQLi

Set-Cookie: inject=abc”+alert(‘xss’)+”;domain=.amazon.cn; path=/;

图片.png

Cookie注入：XSS/SQLi

Cookie反射
- Html/JS/JSON/XML
参与JavaScript运算
渲染到DOM
参与Server端运算

图片.png

Web应用中Cookie相关安全问题研究——学习笔记

Cookie基础

Cookie泄露

Cookie泄露:HTTPS保护

Cookie基础：同源策略（SOP）

Cookie SOP：Domain向上通配

Cookie SOP：Path向下（后）通配

Cookie泄露：HTTPS Session

HTTPS Cookie：Secure Flag防护

Secure Flag：缺乏完整性保护

Secure Cookie：注入/覆盖

Cookie注入：Authenticated-as-Attacker

Auth-as-Attacker ：易察觉

Cookie注入：XSS/SQLi

Cookie注入：XSS/SQLi

你可能感兴趣的:(Web应用中Cookie相关安全问题研究——学习笔记)