Browser cookie handling could widen web attack space

A web security researcher has revealed a major new threat to most websites due to the contradictory way that cookies and the domain name system (DNS) act.

Mike Bailey, a senior web security researcher at Foreground Security, released a paper this week demonstrating something most corporations didn't think could happen: a vulnerability on one of their website subdomains can be used to attack their main production domain, which often contains the data that criminals seek to steal.

Bailey claimed that most webmasters operate under a false assumption that because of the way DNS is hierarchically structured and segmented, an exploit on a subdomain (for instance, mail.google.com) cannot impact the principal domain (google.com). But the way that browsers handle cookies makes this possible because cookies are designed so that subdomains can set and customise them for the main domain.

All an attacker would need to do is locate a vulnerability on a subdomain, such as a cross-site scripting or cross-site request forgery flaw, which is quite possible given that most of those pages lack security, Bailey said.

"If I can find a vulnerability on any subdomain, I can leverage that vulnerability against the entire domain name space," he said. "It allows you to affect the way the browser treats [a user's] logged-in session. If I was Amazon, for example, I could put items in your shopping cart, change your password, change your session...because that's all stored in the cookie."

In a paper he published this week, Bailey offered proof-of-concept examples for Google, Expedia and Chase Manhattan Bank. What makes this attack particularly troubling is that in many cases, the companies set up these subdomains for third parties over which they have no security control.

"It's an arcane, difficult exploit to explain," Mike Murray, CISO at Foreground, told SCMagazineUS.com. "But what it comes down to is that every subdomain has as much power to exploit your users as your main domain does. That's a game-changer in a lot of ways for large organisations."

As a result, the two researchers suggest that corporations apply the same level of security to their subdomains as they do their parent domains.

"It's not just 'check the vulnerabilities on the important stuff,'" Murray said. "It's 'check the vulnerabilities on everything that is public facing'. It lowers the ante for the attacker. In the old days, we'd think that if the main site was secure, everything was fine. Now the attacker can go through the side doors."

For a permanent fix, the major browser providers must fundamentally change the way cookies operate, Bailey said.

He added that he is not aware of any in-the-wild exploits that have taken advantage of the problem, but said organisations shouldn't wait to react.

"I do know the attackers know about this issue because I've talked to some of them," he said.

See original article on scmagazineus.com