Paid Advertising
web application security lab

Cookie Clobbering

22 posts left…

While thinking about the previous issue and listening to Jeremiah’s preso and talking with the guys at Microsoft I got to thinking about cookie clobbering. Let’s say that Microsoft thinks HTTP cookies overwriting secure cookies is a big enough problem to fix. Let’s walk through the use cases. Let’s say there is a separate place for secure cookies that can’t be overwritten by non-secure cookies. Does that mean two cookies are replayed in HTTPS space, or that the HTTPS cookie always wins? Okay… let’s say it wins and the secure flag cookie cookie is the only one sent. Well let’s not forget about Jer’s cookie clobbering script.

When an attacker forces overwriting of the cookie jar, they get the exact same effect. Now the victim has no cookies secure or otherwise if the global cookie jar stays the same size and it remains a LIFO system. So now you’re saying, well the attacker can just use a SSL/TLS enabled cookie clobbering scripts - you’re right! So now there has to be a per-site container… or something - and doesn’t that completely defeat the purpose of the upper limits on cookies anyway? Now DoS conditions become an issue with overwriting the disc with tons of huge cookies, and so on. Anyway… this probably needs a lot more thought, and I’m certainly not advocating “fixing” this, just to end up with a worse situation than we already have. But certainly secure cookies shouldn’t be clobbered by HTTP cookies - in my opinion.

2 Responses to “Cookie Clobbering”

  1. Eric Duprey Says:

    Good points.

    I’m going to advocate just NEVER trusting anything in a cookie not to be written by a bad guy. If you eliminate session fixation vulnerabilities, keep the rest of your session data on the backend tied to a session ID cookie that’s overwritten on successful login, and trust no other cookie, the fact that an attacker can overwrite them shouldn’t matter, right?

    Yeah, I know, in practice a lot of developers aren’t doing this and there are a lot of session fixation vulns like this out there…

  2. AppSec Says:

    Definitely agree with you on the clobbering of HTTPS Cookies with HTTP Cookies.

    Not sure if there is a solution to this problem, because even tracking the timing of new cookies and then alerts or prevention of new cookies has it’s own problems. Doing something embedded in the browser based doesn’t help since the browser is what is making the request anyway.

    Maybe changing from a FIFO or LIFO, they change the algorithm by which cookies are removed from the jar.. Not sure that would totally help but maybe it could make it such that it would take a REALLY long time for the cookie clobbering to work (for instance, have the cookie manager know how long a cookie has resided on a system and number of seperate acceses to that site and have thresholds for removing those cookies)?