Vigil@nce - Firefox, IE, Opera: altering HTTPS Cookies
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can set up a Man in the Middle, in order to alter a
cookie, even if it was set in an HTTPS session with the "secure"
attribute.
Severity: 2/4
Creation date: 12/08/2011
IMPACTED PRODUCTS
– Microsoft Internet Explorer
– Mozilla Firefox
– Mozilla SeaMonkey
– Opera
DESCRIPTION OF THE VULNERABILITY
The HTTP protocol defines cookies (RFC 2109):
– the server returns a cookie to the client
– the client sends this cookie for each new connection to the
server
For example:
– the client connects to https://server/page1 and obtains a cookie
– the client connects to https://server/page2 and sends this
cookie
– the client connects to http://server/page3 and sends this cookie
The cookie was obtained in a secured session ("https://" = HTTP on
SSL) of the page1, and is sent for page 3 as "http://", which
means that it flows in clear form on the network. To forbid this
behavior, the "secure" attribute of a cookie indicates that it can
only be sent to the server in the SSL session.
However, the "secure" attribute does not forbid the cookie to be
set or overwritten by a clear session. An attacker can therefore:
– wait for the victim to have a cookie ("secure" or not) from
https://server/
– intercept another HTTP session to any web site, and reply with
an HTTP redirect to http://server/
– intercept the query to http://server/, and reply with a new
value for the cookie
The web browser then accepts to change the cookie previously
obtained in the SSL session.
An attacker can therefore set up a Man in the Middle, in order to
alter a cookie, even if it was set in an HTTPS session with the
"secure" attribute.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Firefox-IE-Opera-altering-HTTPS-Cookies-10921