Title: Cookie Replay Attacks
1Cookie Replay Attacks
Combined OWASP and null meet Bangalore 05-Septemb
er -2009
Ravi Gopal (ravigopalt_at_gmail.com)
2On the way
- Cookie-Snapshot
- Cookie - In Security Perspective
- Live demonstration of replaying the Gmail
- cookie
Ravi Gopal (ravigopalt_at_gmail.com)
3Cookie-Snapshot
- What it is?
- Small piece of information stored in client
- system
- Transferred back and forth between Server and
- browser
- Keeps the state of the session active
Ravi Gopal (ravigopalt_at_gmail.com)
4Cookie-Snapshot
- How it works?
- Browser requests a page on server
- Then server sends back a cookie with the
- requested page to the browser
- The browser sends the cookie to the server
- with subsequent requests
- Point to be noted that the user will be
- identified by the server exclusively on the
- cookie that is returned
Ravi Gopal (ravigopalt_at_gmail.com)
5Cookie-Snapshot
- Cookie- Types
- Few cookies will be destroyed after a specific
- expiration time - persistent cookie
- Few Cookies will be destroyed when the
- browser is closed - transient cookie or session
- cookie
Ravi Gopal (ravigopalt_at_gmail.com)
6Cookie - In Security Perspective
- Cookie related attacks
- Cookie Poisoning
- Tampering or changing the cookie
- Relatively difficult to construct the cookie
- similar to the original one
- The difficulty depends on the complexity of
cookie generation mechanism - Cookie Replay
- Simply reuse a valid cookie
- Relatively simple to get a valid cookie
- through sniffing
Ravi Gopal (ravigopalt_at_gmail.com)
7Cookie - In Security Perspective
- Possible preventive measures
- Use HTTPs while browsing (If secure cookie is
- implemented)- First level defense in depth
- Cookie Life time- Be strict in giving age to
cookie - Secure Cryptography Dont innovate, use
- existing best proven
- Persistent Cookie- Avoid it
Ravi Gopal (ravigopalt_at_gmail.com)
8Thank you
For step-by-step procedure of Gmail cookie replay
attack please visit my blog www.ravigopalt.blogspo
t.com
Ravi Gopal T ravigopalt_at_gmail.com