Title:
Half-Baked Cookies: Client Authentication on the Modern Web
Half-Baked Cookies: Client Authentication on the Modern Web
Author(s)
Mundada, Yogesh
Feamster, Nick
Krishnamurthy, Balachander
Guha, Saikat
Levin, Dave
Feamster, Nick
Krishnamurthy, Balachander
Guha, Saikat
Levin, Dave
Advisor(s)
Editor(s)
Collections
Supplementary to
Permanent Link
Abstract
Modern websites set multiple authentication cookies during
the login process to allow users to remain authenticated over
the duration of a web session. Web applications use cookie-based authentication to provide different levels of access and authorization; the complexity of websites’ code and various
combinations of authentication cookies that allow such access
introduce potentially serious vulnerabilities. For example, an on-path attacker can trick a victim’s browser into revealing insecure authentication cookies for any site, even if the site itself is always accessed over HTTPS. Analyzing the susceptibility
of websites to such attacks first requires a way to identify a
website’s authentication cookies. We developed an algorithm to determine the set of cookies that serve as authentication
cookies for a particular site. Using this algorithm, which we implemented as a Chrome extension, we tested 45 websites
and found that an attacker can gain access to a user’s sensitive
information on sites such as GoDaddy, Yahoo Search, Comcast, LiveJournal, stumbleupon, and Netflix. In cases where these sites cannot enable site-wide HTTPS, we offer recommendations for using authentication cookies that reduce the
likelihood of attack. Based on these recommendations, we
develop a tool, Newton, that website administrators can use
to audit the security of a site’s cookie-based authentication
and users can run to identify vulnerabilities at runtime.
Sponsor
Date Issued
2014
Extent
Resource Type
Text
Resource Subtype
Technical Report