HTTP Request Quetion

Networking/Security Forums -> Beginners // Misc. Computer Questions

Author: woodworkerLocation: Between east and west coast PostPosted: Fri Dec 17, 2010 10:23 pm    Post subject: HTTP Request Quetion
    ----
I am currently working to expand my knowledge of security into new areas and I was wondering if someone could answer the following question. What wold be the purpose of adding multiple bogus cookies to an HTTP request submitted to a site? I am assuming there are multiple reasons as to why one would do this but wanted to see what I would get for answers.

Author: Fire AntLocation: London PostPosted: Sat Dec 18, 2010 11:52 am    Post subject:
    ----
Hi woodworker,

This is a very relevant security related question at the moment. So websites which you to login will require you to send your auth cookie with every HTTP request so they can ensure you authenticated.

Since it is possible to sniff the traffic off a network organisations started putting SSL on the login page so that the login name and password couldnt be sniffed however the cookie is a valid authentication credential.

It was shown, several years ago, that it is feasible to sniff the cookie and then use that cookie to login to the website as that person. There are some limitations in that process and they are:
1 - You have sniff the unencrypted traffic which contains the cookie
2 - The cookie is normally only valid for a certain period
3 - You have to format the request properly to login as that user

Recently someone released a FireFox plugin called FireSheep which allows you to sniff the traffic and then any cookies which are seen are loaded into the plug in and you can login to that site as that user. This tool just makes the whole process easy.

Now, to combat that someone wrote a tool called FireShephard which sends a HTTP request with fake cookie details to the website. This I believe caused a problem with FireSheep.

This was a form of obfuscation technique. Flood the network with fake requests and becomes a little bit more difficult to find the real HTTP request and extract the cookie.

However, I recently rewrote FireShephard for Linux and Mac (I have not released the code as this is for personal testing) and FireShepherd no longer offers that functionality due to some fixes in FireSheep.

If you send a HTTP request with a fake cookie websites will respond with an error which makes it easy to spot a real request compared to a fake request. If you send hundreds of fake requests it makes it a little annoying in FireSheep however obvious when the real request occurs. I have tested with FaceBook and this site returns a 302 which instead of a 400. Which is really easy to spot with WireShark.

Some would argue that sending requests with fake HTTP cookies offers nothing in the form of security. I would tend to agree as an attacker with some basic knowledge can navigate around this obfuscation method.

Security not through obscurity.

Fire Ant

Author: Fire AntLocation: London PostPosted: Sat Dec 18, 2010 12:02 pm    Post subject:
    ----
I forgot to add my mitigation information. Since the majority of websites wont provide persistent SSL across the whole browsing experience you can use tools such as NoScript or there is one by the EFF which forces SSL. If the site provides SSL at the login then the tool ensures that when you request another page other than login the SSL one is requested. I use this for sites such as this one, Twitter, FaceBook and various other webmail systems.

This wouldn't be required if companies used SSL for every page however there are a number of debates around this relating to everything from cost to lawful interception.

Fire Ant



Networking/Security Forums -> Beginners // Misc. Computer Questions


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group