Half-Baked Cookies: Client Authentication on the Modern Web

Files
GT-CS-14-06.pdf (1.08 MB)
Author(s)
Mundada, Yogesh
Feamster, Nick
Krishnamurthy, Balachander
Guha, Saikat
Levin, Dave
Advisor(s)
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
School of Computer Science
School established in 2007
Series
Series
Series
Collections
Research Publications
Supplementary to:
Permanent Link
http://hdl.handle.net/1853/52646
Abstract
Modern websites set multiple authentication cookies during the login process to allow users to remain authenticated over the duration of a web session. Web applications use cookie-based authentication to provide different levels of access and authorization; the complexity of websites’ code and various combinations of authentication cookies that allow such access introduce potentially serious vulnerabilities. For example, an on-path attacker can trick a victim’s browser into revealing insecure authentication cookies for any site, even if the site itself is always accessed over HTTPS. Analyzing the susceptibility of websites to such attacks first requires a way to identify a website’s authentication cookies. We developed an algorithm to determine the set of cookies that serve as authentication cookies for a particular site. Using this algorithm, which we implemented as a Chrome extension, we tested 45 websites and found that an attacker can gain access to a user’s sensitive information on sites such as GoDaddy, Yahoo Search, Comcast, LiveJournal, stumbleupon, and Netflix. In cases where these sites cannot enable site-wide HTTPS, we offer recommendations for using authentication cookies that reduce the likelihood of attack. Based on these recommendations, we develop a tool, Newton, that website administrators can use to audit the security of a site’s cookie-based authentication and users can run to identify vulnerabilities at runtime.
Sponsor
Date
2014
Extent
Resource Type
Text
Resource Subtype
Technical Report
Rights Statement
Rights URI