Last week's cookie-vuln won't be the last, security bod says
It's only a local bug until it's not
In the wake of last week's cookie security warning, accomplished Polish penetration tester Dawid Czagan has dug up a separate issue with Apple's Safari.
The bug Czagan has reported to Apple relates to its handling of the HTTPOnly flag, again leaving cookies open to attack.
Internet Explorer too suffers from cookie domain attribute insecurities, he says, and he has reiterated last week's warning that all major browsers need to guard against cookie hijacks.
Speaking to Vulture South over the weekend, Czagan (@dawidczagan) said cookies are still an overlooked attack vector, and that when chained, they can result in more powerful attacks even if two factor authentication is used.
“Cookies are underestimated by clients who often rate cookie related vulnerabilities as low risk [and] claim that local access is needed for exploitation, but this is not true”, Czagan told us.
“I find cookie related vulnerabilities in about 70 percent of websites.
“In some cases I can chain them with various browser or application bugs to launch more powerful attacks.”
He says developers can overlook cookies as a weakest link in the security chain that can neuter two factor authentication if the respective cookies are insecurely processed.
Czagan, director of Silesia Security Lab, is presenting the talk Hacking Cookies in Modern Web Applications and Browsers at the Hack in the Box and conferences next month.
The Polish penetration tester has previously popped the world's biggest web sites and web apps from Google to Yahoo!, and Mozilla.
He will run a training course on cookie insecurities allowing attendees to hack some of the most interesting bugs from the top tech companies in specialised environments.
HTTP Secure Transport Security can help to mitigate some risks by enforcing HTTPS and preventing the leaking of sensitive cookies, but this requires support by browsers and websites.
The issue was highlighted last week, when the Carnegie-Mellon CERT warned bad RFC 6265 implementations allowed attackers to set cookies that look legitimate.
The attack cookies can then be used in subsequent HTTPS communications for man-in-the-middle attacks. ®