Half-Baked Cookies: Hardening Cookie-Based Authentication for the Modern Web

Modern websites use multiple authentication cookies to allow visitors to the site different levels of access. The complexity of modern web applications can make it difficult for a web application programmer to ensure that the use of authentication cookies does not introduce vulnerabilities. Even when a programmer has access to all of the source code, this analysis can be challenging; the problem becomes even more vexing when web programmers cobble together off-the-shelf libraries to implement authentication. We have assembled a checklist for modern web programmers to verify that the cookie based authentication mechanism is securely implemented. Then, we developed a tool, Newton, to help a web application programmer to identify authentication cookies for specific parts of the website and to verify that they are securely implemented according to the checklist. We used Newton to analyze 149 sites, including the Alexa top-200 and many other popular sites across a range of categories including search, shopping, and finance. We found that 113 of them---including high-profile sites such as Yahoo, Amazon, and Fidelity---were vulnerable to hijacking attacks. Many websites have already acknowledged and fixed the vulnerabilities that we found using Newton and reported to them.

[1]  Ping Pan,et al.  Internet Engineering Task Force , 1995 .

[2]  Jian Jiang,et al.  Cookies Lack Integrity: Real-World Implications , 2015, USENIX Security Symposium.

[3]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[4]  Wouter Joosen,et al.  Serene: Self-Reliant Client-Side Protection against Session Fixation , 2012, DAIS.

[5]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[6]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[7]  Michele Bugliesi,et al.  Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication , 2014, WWW.

[8]  Samuel T. King,et al.  Fortifying web-based applications automatically , 2011, CCS '11.

[9]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[10]  Joseph Bonneau,et al.  Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[11]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[12]  Wouter Joosen,et al.  SessionShield: Lightweight Protection against Session Hijacking , 2011, ESSoS.

[13]  Brian Neil Levine,et al.  Functional Privacy or Why Cookies Are Better with Milk , 2012, HotSec.

[14]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[15]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[16]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[17]  Michele Bugliesi,et al.  Automatic and Robust Client-Side Protection for Cookie-Based Sessions , 2014, ESSoS.