• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

HTTP Request Quetion

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Beginners // Misc. Computer Questions

View previous topic :: View next topic  
Author Message
woodworker
Just Arrived
Just Arrived


Joined: 17 Dec 2010
Posts: 0
Location: Between east and west coast

Offline

PostPosted: Fri Dec 17, 2010 10:23 pm    Post subject: HTTP Request Quetion Reply with quote

I am currently working to expand my knowledge of security into new areas and I was wondering if someone could answer the following question. What wold be the purpose of adding multiple bogus cookies to an HTTP request submitted to a site? I am assuming there are multiple reasons as to why one would do this but wanted to see what I would get for answers.
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Sat Dec 18, 2010 11:52 am    Post subject: Reply with quote

Hi woodworker,

This is a very relevant security related question at the moment. So websites which you to login will require you to send your auth cookie with every HTTP request so they can ensure you authenticated.

Since it is possible to sniff the traffic off a network organisations started putting SSL on the login page so that the login name and password couldnt be sniffed however the cookie is a valid authentication credential.

It was shown, several years ago, that it is feasible to sniff the cookie and then use that cookie to login to the website as that person. There are some limitations in that process and they are:
1 - You have sniff the unencrypted traffic which contains the cookie
2 - The cookie is normally only valid for a certain period
3 - You have to format the request properly to login as that user

Recently someone released a FireFox plugin called FireSheep which allows you to sniff the traffic and then any cookies which are seen are loaded into the plug in and you can login to that site as that user. This tool just makes the whole process easy.

Now, to combat that someone wrote a tool called FireShephard which sends a HTTP request with fake cookie details to the website. This I believe caused a problem with FireSheep.

This was a form of obfuscation technique. Flood the network with fake requests and becomes a little bit more difficult to find the real HTTP request and extract the cookie.

However, I recently rewrote FireShephard for Linux and Mac (I have not released the code as this is for personal testing) and FireShepherd no longer offers that functionality due to some fixes in FireSheep.

If you send a HTTP request with a fake cookie websites will respond with an error which makes it easy to spot a real request compared to a fake request. If you send hundreds of fake requests it makes it a little annoying in FireSheep however obvious when the real request occurs. I have tested with FaceBook and this site returns a 302 which instead of a 400. Which is really easy to spot with WireShark.

Some would argue that sending requests with fake HTTP cookies offers nothing in the form of security. I would tend to agree as an attacker with some basic knowledge can navigate around this obfuscation method.

Security not through obscurity.

Fire Ant
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Sat Dec 18, 2010 12:02 pm    Post subject: Reply with quote

I forgot to add my mitigation information. Since the majority of websites wont provide persistent SSL across the whole browsing experience you can use tools such as NoScript or there is one by the EFF which forces SSL. If the site provides SSL at the login then the tool ensures that when you request another page other than login the SSL one is requested. I use this for sites such as this one, Twitter, FaceBook and various other webmail systems.

This wouldn't be required if companies used SSL for every page however there are a number of debates around this relating to everything from cost to lawful interception.

Fire Ant
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Beginners // Misc. Computer Questions All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter