So, as we all do, I was watching some old Computerphile videos and came across one by Tom Rodden on cookies. Rodden: How Do You Do The Little Shopping Carts? Pound: And He Talks A Lot About Tracking Cookies, Which Are A Big Deal, Alright. Furthermore, Just as a side note, I think everyone should install Ghostery to prevent people from tracking their whereabouts, what they’re doing, and what they’re browsing on the internet. But I’m not talking about tracking cookies today – or persistent cookies – I’m talking about cookie theft, which is the concept that if I can get a hold of your cookie from your browser in some way, I can then pretend to be you on that website. Perhaps a brief recap of what a cookie is and what it does in order to put it in context. Of course, if you want to learn a lot more about cookies, you should watch Tom’s video. Http And Html Aren’t Reliable I Send A Request To A Website, And It Responds With Html – And perhaps Javascript – and that, in a nutshell, is the end of the transaction. It’s a brand new transaction, so I’m making another request. So there isn’t a standard way for me to persist in that mechanism. Interviewer: So when you say you make a request, do you mean you click a button? Pound: Are you on a link or something? So I go to Google and type Www into the search box. googling com uk, or I click on a link on a website that leads to another website. A different website Alternatively, my browser may need to request an image from a server because I clicked the Plus Icon on something and am attempting to view a high-resolution image. Interviewer:, So, Even If You're On The Same Site, You Click On Different Links, On That Same Site ItPound: It Will Start A New Connection, Or Use The Existing Connection To Send Off Another Http Request, Which Is Essentially Just A String That Says “I Want, This File, Please Send It Back,” And The Server Will Hopefully Send It Back Because This Isn’t Persistent, The Problem Is How Do We Do Things Like Shopping Baskets And “I’m On Stage 5 Of 6 Stages” In Setting Up My Online Banking Or Something How Do We Remember What I’ve Already Typed In? As a result, the first time I visit a website, it may send me a cookie that is possibly unique. To Me, an Identifier So, let’s say a string of numbers, and then I think to myself, “well, I’m going to go back to that website and register,” so I type in my desired username and send it off, along with a request for the next page. I also send this one-of-a-kind string of numbers back to you. The reason for this is that the server will be able to search the database. “Oh Yeah, I Remember Him, He Was The One Who Was Using This Username, And Now I Can Serve Him This Slightly Different, Webpage Where The Username Is Already Typed In,” you might think. “Or something along those lines: “I’ve already remembered what’s in his shopping cart.” That’s Why There’s A Cookie Of course, as Tom correctly points out, they’re also used to keep track of what you’re doing online. So Tracking Cookies Will Be Used By Banner Ads And Other Things To Keep Track Of You Between Websites –, Which Is A Little Concerning. But, once again, I’m not going to talk about it except to draw people’s attention to how terrifying it is. The Problem Is That If I Get A Cookie From You, Which Is Supposed To Be Secure, Then I Can Send It To, Let’s Say, Amazon Or A Shop And Say “i’m Sean Please, You Know, What's In His Shopping Basket” “what's His Address?” “can I Change The Address Of This?” If I Do That Halfway Through Your Transaction, When You’ve Typed In, Your Details, I Can Just Override And Change The Shipping It’s involved, but it’s possible. If I can just get my hands on that cookie, I’ll be happy. Now, those cookies are stored by the browser and are on your computer, making it difficult for me to remove them. Cross-site scripting, on the other hand, is a very simple method of accomplishing this. So that’s exactly what we’re going to do today. We’re stealing a cookie, and we’re going to do it with a cross-site scripting attack. Now, this relates to another video that Tom Scott made about cross-site scripting. But, in essence, what we’re going to do is inject a script into a blog – not a secure blog, mind you – and see what happens. To get a hold of anyone else’s session cookie and send it to me when they visit the site. I could theoretically use this to take over their session. This Is The Best Blog On The Planet,
Without a doubt Okay, it appears to be in good shape and contains useful information. Here’s a picture of a kitten and some sort of banner, and that’s about it. As well as some Lorem Ipsum Then There’s This Blog.
Importantly, there’s a comments feed at the bottom, so if we look at the comments, we’ll see things like “many thanks, Love The Blog.” – That Kind Of Thing It’s all very positive – or nearly so – and the point is that I can add more comments here. As a result, I can say, “thank you!” from Mike once more. And I’ll be able to put this in, and then when I scroll down to the bottom, it’ll be there. And There Was A Time When I did it on my own This Is Exactly The Type Of Situation Where A Cross-Site Scripting Attack Would Be Beneficial. If you haven’t properly coded your website, this is a possibility. So, what should I do when someone types? Some Text In Here Is Making Sure That's What It Is And Isn't In Fact Valid Html Script My Or Javascript Because If It Is, Then What Happens Is That This Browser Received It Back To The Server And, Has No Reason To Believe That It Isn't Just Part Of What The Server Intended I Think Because It's Just A Script TagLike Any Other The Server Will Probably Be Serving Script Tags Anyway, Right, Fordoing Other Things And It Just Serves Another That's Fair Enough I Mean They Do That All The Time So We Run It Ok And Then That's Where The Problem Is So It's The Server's And The Programmer's Responsibility So This Is A Very Similar To An Sqlinjection Except We're Putting Us We're Injectinghtml Instead Of Sql Ok They're Very Similar Kinds Of Attacks Solet's See If It Works The Server Let's Take A Simple Example: Let's See If We Can Get A Pop-up To Appear So, I'm Gonna Openclosing Html Tags And Then We're Gonna Say Alert “xss!” Ok So Theoretically What Will Happen Is This Page Will Serve These Comments To Me When I Go To This Website And They Will Not Think It's A Comment They Will Think It' So, let’s see how it goes. I Need To Put A Name Ok, I Don't Want To Incriminate Myself, So Let's Put In Someone Else, Like Sean For Example I Could Submit So I Reload This Web Page Of Someone Else I Get A Little Pop-up That Sayslocalhost Xss Ok So The Service Telling Me Xss! This Is Where You Stop And Then You Go Off And Tell Them About It But You Can Go Further Than This To be clear, this is my own website, running on my laptop; it is not secure on purpose, and it makes no difference if I hack it because no one will be harmed. Okay, I Wouldn’t Do This On A Public Website, So I Just Loaded Some Files To Show You How The Blog Works Behind The Scenes So You Can Get An Idea Of What’s Going On So This Is Php Right So It’s Going To Be A Mixture Of Php Code And Html Right, Some Of Which Is A Result Of Php And Others Which Are Just Put In So Here You Can See, I Called Something Called Session Start Now What Session Starts Going To Do Is Php Is Going To Look To See If The Cookie They Received Is A Valid Session And If It Is, It's Going To Resume My Session It's Going To Remember Who I Am And Any Parameters That This Website Has Set For Me Will Be Remembered In The Database If There Isno Cookie On File For Me That Means I& Now That Everything Happens Within, This Session Start Thing And Is Not Something I Needto Concern Myself With As A Developer You Can Do It Yourself Now I’ve Got Standard Submit Commentsokay So I Output The Blog Text And, Then I Check If Someone Clicks “submit Comment”button It Will Check The Post Values For Content And Their Name And Then It Will Put Them Into A Database Now I’ve Got Standard Submit Commentsokay So I Output The Blog Text And As a side note, I’m actually eluding these mysql strings there, so I’m not vulnerable to Amysql injection here. So that's good, but I'm not vulnerable to sql injection, but I am vulnerable to cross-site Scripting, so I'm not doing any kind of cross-site Scripting detection here. As an Attacker, I've Created Anotherphp File Called Submit Cookie Dot Php That Is Just A File That Takes, As A Parameter, A String Of A Cookie Stores In A Database On These Two Lines Here And Then Serves Him Back In Image So What I'm Going To Do Is I'm Going To Write A Cross-site, Scripting Attack Which Is Basically A Comment On This Blog That Causes Their Website Or Their Okay, so this is one of the questions that came up when we were talking about these kinds of things. What Is The Difference Between Client And Server Side You Know You're Doing Some CodeThat Will Cause The Server To Come And Find This Code? Imagine I've So Imagine Thereis No Php In There Is No Script Right All There Is Is A Website With Some Images On It Ok You're The I’m the client, and I say yes, I’ll get the index. html? You say, “Here it is,” and I read it and projected it on the screen, only to discover that it contains an image with a source similar to your-website / Image1. So I Say, Okay, I Need This Too, Can I Havejpg This Jpeg And You Send It Back So I Make Multiple Requests To You To Get TheVarious Bits Of Content Just Like That And Just Like With A Banner Ad I Might Come To A Bit In The Html That Tells Me To Go To Another Website Or Something Else And Then And There Is No Reason For Me To Think That Isn’t A Reasonable Request Maybe Your Images Are Stored
So I Go I Was An Image And I NeedThat From Over Here So I Go Over There And I Get It Right The Fact That It Also Bagged My Cookieis Just An Unfortunate Side Effect But It Wasn't Something That Wasn't Intended When They Developed The Web But It'sUnfortunately What Happens Now So That's What's Going To Happen Okmaybe Right So I'm Gonna Start With
I’m going to say Document Dot Write, and that’ll just write nothing to the screen, right? So my comment on my blog will just be a script. Okay, that doesn’t do anything, and it’s not very interesting, so So Image Tag In Html Img Is The Image Tag The Source Of That Is Http Code On / So Let's Do Something A Little More Interesting Our Php File Takes The Cookie And Returns An Image So Let's Just Show It On The Screen Right?
Now This Could Obviously Be A Different Website / Submit Cookie Dot Php Question Mark – Now This Could Obviously Be A Different Website
Takes Getrequests, so I’d recommend submitting a cookie. And when I say Cookie Equals, that’s exactly what I’m going to do: I’m going to steal their cookie and give it to myself all right to do. That’s all I do. Cookie – I Escape This So It Passes Through Html Plus Nicely, And Then I’m Going To Close My Image Tag Because Otherwise It Will Be Malformed Html And Might Not Execute Properly And Then A Single Quote Ok So Let’s Break Down What This Isdoing The Script Here Is Telling The Website That This Is A Script To Execute Properly And Then A Single Quote Ok So Let’s Break Down What This Isdoing The Script Here Is Telling The Website That This Is A Script To Execute Properly If the document is not a standard piece of HTML, it will not be run. The right function is simply a piece of Javascript that says, “Dump this out as text.” However, it can also take parameters rather than just text. Just say yes, and it will produce some valid results.
Html Which Is A Link To An Image But That Image Is Not Held On The Server But Is Theoretically Held Elsewhere Ok Now The Actual Thing That Is Returning An Image Is A Php File Not An Actual Image Ok Which Also Takes The Cookie Parameter, Which Is A Little Worrying Alright So When I First Went To Thisblog I Requested Index Dot Php Server Started Executing This, And Called Thesession Start Function Right Which W Okay, so you have to trick the browser into sending it back, so here’s how it goes: I Send A Index, Then I Send A Index, Then I Send A Index, Then I Send A Index, Then I Send A Index, Then I Send A Index, Then I Send A Index, Then I Send A Index, Then I Send A php Request Tohis Blog To Look At It Ok It Sends Him To A Big Websitewith Stuff On It Including Some Comments One Of Which Has A Script In It That Says There's An Image Here Youneed Okay At This Php File Ok So I Go Oh Brilliant, And I Get Mydocument Ok And I Send It Off To That Php File And I Get Back An Imageand I Think Nothing's Wrong But They've Now Got My Cookie >>but The Cookie Went Off To The PlaceWhere The Image Was Supposedly? And Of Course This, Will Return An Image But In Some Casesit Will Return Nothing And There Will Be No Evidence That This Happened At All, Unless You Actually Looked At The Source Code For The File Which Of Course Will Return Nothing And There Will
It's Not Unusual For An Image To Be Served Byscript Over An, Actual Hard Link To An Image Because For Example >>might Be An Advert Or? It Might Be An Advert Dynamically Created It Could Be Different It Could Be A Resolution Specified In There Or You Know, A Goodlots Of Difficulties This is similar to that, except that it is also taking place. A parameter that it shouldn’t be taking, but I have no control over that, and the browser isn’t insecure; it’s just that he has no reason to doubt me. You know, scripts that use Document Dotcookies legitimately exist, and if you block them, websites start to behave strangely. Because they rely on cookies for persistence, it’s a real issue. Let's Click Submit And See What Happens >>so What Have You Done There You've Refreshed, It? Yeah & It Didn't Work, Cause I've Done It Wrong, You Know What I Didn't Type In My Name That'swhy It Didn't Work, So Mike Right I'll Take Credit For Thisone So We Can Sub And we scrolled down and found a Cookie Monster image, so please submit Cookie Dot Php Has Taken My Cookie And Returnedan Image Ok, it's not uncommon for people to have images on comments or forum posts and other things, so people have seen this image aside from the fact that the Cookie Monster might not realize what just happened Ok It's Completely Silent It's Happened Behind The Scenes All that happened was that they quickly handed their cookie to someone else and returned an image. These types of requests for images happen all the time; it’s just that this one has a cookie on it, which is bad news. This Is My Database As An Attacker, And I Select * From Evil Which Is The Name Of Mytable That Is Registering The Cookie You Can See What My Session Cookie Nowphpsessid It's Stuck In Here So That's The Sessioncookie For That Session Of Php Now In This Blog That Doesn't Have Much Of An Effect Right Firstly Because I Already Have This Cookie But Mostly Because There Isn&# It won’t let you get to my basket, credit card details, or login, which is fine, but if you did this on a website that involved shopping, money, or banking, it would be a problem. Getting That Session Cookie Could Trick The Bank Into Thinking You’re Resuming Their Session If It’s Not Properly Coded You Know They Could Get So Much Distance Into Let's Say A Transaction, Then You Could Steal Their Session Go Inand Just Change The Bank Account Details To Yours Right The Bank Has No Idea That People's Session Cookies Are The Only Thing That Really Ties Themto That Transaction That Thing To That Website I Mean You Can Do More And ComplicatedThings Like You Can Pin Ips To Session Cookies For Example Right Butpeople's Ips Change Ok They Might Move From One Wi-fi Area To Another Their Ip Changes Do You Necessarily, Want Them To Have To Re-authenticate Perhaps You Do For Security Right But It Depends On The Way Website Is Developed This Is Sort Of A Prime Example Of Atime Of Check To In My Details Ok, Right Before You Transact, You Can Add Loads Of Stuff To My Basket Without Having To Authenticate Myself It's Remember That From Last Time But As Soon As I Actually Have To Do Anything Properly Like Spending Any Money It's Going To Ask Me For My Credentialsagain It's Going To Ask Me For My Credentialsagain It's Going To Ask Me For My Credentialsagain Same With Online Banking If I Use My Bank If I Log Into My Online Bankingi Use Some Kind Of Chip & Pin Device To Authenticate Myself That Lets Me See My Bank Balances If I Want, To Send Any Money Its Going To Ask Me Again Because They Can't Risk Mewandering Off By Mistake Leaving That Browser Open Or Someone Stole My Cookie We Keep Carving Away At, This And What We'll End Up With Is Something That Looks Almost This is better than others, but the more images we have, the better.