So I've been watching back over some old Computerphile videos as we all do and I was watching a video by Tom Rodden on cookies Rodden: How then do you do the little shopping carts? Pound: And he talks a lot about tracking cookies, which are a big deal, alright. And just a side note, I would say everyone should install Ghostery and stop people tracking their whereabouts and what they're up to and what they're browsing online. But I'm not talking about tracking cookies today – or persistent cookies – I'm talking about cookie stealing which is the idea of if I can get ahold of your cookie from your browser, in some way, I can then pretend to be you on that website. Perhaps a bit of a recap on what it is that a cookie does so that this puts it into context. Now of course if you want to know a lot more about cookies, you go back and look at Tom's video. HTTP and HTML are not persistent. I make a request to a website, it serves me HTML – and maybe Javascript – and that's the end of the transaction, as far as it's concerned. I make another request, it's a brand new transaction. So there's no standard way in that mechanism of me persisting. Interviewer: So when you say you make a request, that means, for example, you click on a link or something? Pound: Yeah. So I go into Google and I type www.google.co.uk, or I click on a link in a webpage that takes me to another website. Or, indeed, my browser needs to request an image from a server because I've clicked the plus icon on something and I'm trying to look at an image hi-res. Interviewer: So even if you're on the same site, you click on different links on that same site it […] Pound: It will start a new connection, or use the existing connection to send off another HTTP request which is basically just a string that says "I want this file, please send it back" and the server will hopefully send it back. Because this isn't persistent, the obvious problem is how do we do things like shopping baskets and "I'm on stage 5 of 6 stages" in setting up my online banking or something how do we remember what I've already typed in? The way we do this is using cookies. So, the first ever time I visit a website, it might send me back a cookie that's maybe a unique identifier to me. So just let's say a string of numbers, alright? And then I think, "well, I'm going to go back to that website and register" so I type in my username that I want and I send off the username and the request for the next page. And I also send back this unique string of numbers. And the reason is because then the server can look in the database and go "oh yeah, I remember him, he was the one that was using this username, and I can now serve him this slightly different webpage where the username is already typed in." or "I have already remembered what's in his shopping basket" or something like this. That's what a cookie is for. Now, of course now as Tom rightly points out, they're also used for tracking what you're up to online. So banner ads and things will use tracking cookies to keep track of you between websites – which is kind of worrying. But, again, not going to talk about that anymore than to draw people's attention to how scary it is. The problem is that if I obtain a cookie off you, which is supposed to be secure, then I can send that to, let's say, Amazon or to a shop and say "I'm Sean please, you know, what's in his shopping basket" "What's his address?", "What's his credit card details?" "Can I change the address of this?" If I do that halfway through your transaction, when you've typed in your details, I can just override and change the shipping address and get stuff sent to my house instead. It's involved, but it could happen. If i can get ahold of that cookie. Now those cookies are stored by the browser, and they're on your computer so that's quite difficult for me to do. But cross-site scripting is a very easy way of doing it. So that's what we're going to do today. We're gonna steal a cookie, and we're gonna do it using a cross-site scripting attack. Now this ties back into a different video that Tom Scott did on cross-site scripting. But what we're basically going to do is we're going to inject a script into a blog – not a secure blog, I should say – and that is going to, when anyone else visits the site obtain their session cookie and send it to me. And that I could theoretically use to take over their session. This is the world's best blog, of course. Alright, it looks good and it's got good content on it. Here's a picture of a kitten and some kind of banner and that's pretty much it. And some Lorem Ipsum. And then this blog has crucially got a comments feed at the bottom So if we look at the comments: "Many thanks, love the blog" – That sort of stuff. It's all very positive – well nearly – and the point is I can type extra comments in here. So I can say: "Thanks!" from Mike again. And I can post this in, and then when I scroll to the bottom there it is. And the time that I did it on. This is just the kind of time where a cross-site scripting attack is possible if you haven't coded your website properly. ok so what I need to be doing when
someone types some some text in here is making sure that's what it is and isn't
in fact valid HTML script my or JavaScript because if it is then what
happens is this browser received it back to the server and has no reason to think
that isn't just part of what the server intended I think because it's just a script tag
like any other the server will probably be serving script tags anyway, right, for
doing other things and it just serves another one that's fair enough i mean
they do that all the time so we run it ok and then that's where is a problem so
it's a responsibility of the server and the person programming the server to
make sure that when I submit data it doesn't it isn't actual script, or things that
can run ok so this is a very similar to an SQL
injection except we're putting us we are injecting
HTML instead of SQL ok they're very similar kinds of attacks so
let's see if it works the most obvious example be a really
simple one let's see if we can get a pop-up to appear so I'm gonna opening
closing HTML tags and then we're going to say alert "XSS !" ok so theoretically what will happen is
this page will serve these comments to me when I go to this website and they
will see this script and not think it's a comment they will think it's part of
the actual webpage to be run and executed and then off there we go... so let's see if it works. I need to put
a name ok so i don't want to incriminate myself so let's put in someone else so
like Sean for example i could submit so I reload
this web page of someone else I get a little pop-up that says
localhost XSS ok so the service telling me XSS! this is where you
stop and then you go off and tell them about it but you can go further than
this. To be absolutely clear, this is my own website running on my laptop - it's not secure
on purpose and it doesn't matter if I hack it because no one no harm is coming up this ok I wouldn't ever do this on a public
website so i just loaded some files to show you how the blog works behind the
scenes so you get an idea of what's going on so this is PHP right so it's going to be
a mixture of PHP code and HTML right, some which is a result of PHP some
which is just put in so here you can see that i called
something called session start now what session starts going to do is PHP is
going to look to see if the cookie they received is a valid session and if it is
it's going to resume my session its going to remember who i am and any parameters
that this website has set for me will be remembered in the database if there is
no cookie on file for me that means i'm coming at it for the first time for my
session expired and it will make one and send it back to me in the first response
right now that all happens within this session start thing and is not something i need
to concern myself with as a developer you can do it yourself now I've got standard submit comments
okay so I output the blog text and then I check if someone clicks "Submit comment"
button it will check the post values for content and their name and then it will
put them into a database now as a side note I am actually escaping these
mySQL strings there we are so I'm not vulnerable here to a
mySQL injection because of these bits so that's good but I'm not vulnerable to
SQL injection unfortunately I am vulnerable to cross site scripting so I'm not doing
any kind of cross-site scripting detection here okay I'm just gonna serve back whatever
the person typed in now as an attacker what I've done is I've created another
PHP file called submit cookie dot PHP that is it just a file that takes as a
parameter, a string of a cookie stores in a database on these two lines here and
then serves him back in image so what I'm going to do is I'm going to
write a cross-site scripting attack which is basically a comment on this blog that
causes their website or their client to visit this submit cookie dot PHP and
give them the cookie ok so because this is this is one
question that I remember rising when we talked about these sorts of things before is
the difference between client and server side you know you're doing some code
that will cause the server to come and find this code? imagine that I've so imagine that there
is no PHP in there is no script right All there is is a website with some images on
it ok you're the server and I'm the client I
say can I get index.html? you say yeah here it is ok I read it and show on the screen and
then I realized that actually it's got an image in it that has a source that's
like your-website / image1.jpg right so I say okay I need this too can i have
jpg this JPEG and you send it back so i make multiple requests to you to get the
various bits of content just like that and just like with a banner ad I might come to a bit in the HTML that tells me to go to some other website or something else and then and there is no
reason for me to think that is not a reasonable request maybe your images are stored on a
different server so i'm going to go there ok so i go i was an image and I need
that from over here so I go over there and I get it right the fact that it also bagged my cookie
is just an unfortunate side effect but it's not something that was necessary
and it wasn't something was intended when they developed the web but it's
unfortunately what happens now so that's what's going to happen ok
maybe right so I'm gonna start with script so we already know this blog is
vulnerable to cross-site scripting so we don't need to worry specifically about it i don't
have to obfuscate it or do anything clever i'm going to say document dot write ok now that's just going to write
nothing to the screen right so my comment on my blog is just going to be a script that does nothing okay that's
not very interesting so let's do something a bit more interesting our PHP file takes the cookie and gives an image back so let's just show it on the screen right? So image tag in HTML IMG is
the image tag the source of that is HTTP code on / localhost now this could
obviously be a different website / submit cookie dot PHP Question Mark - now this takes get
requests so I say submit a cookie . PHP ? and when I say cookie equals and then
that's what I'm gonna steal their cookie and give it to myself all right to do that all I do is I say
plus document . cookie - I escape this so it passes nicely over HTML plus and then i'm
going to close my image tag because otherwise it's going to malformed HTML and it might execute properly and then a single quote ok so let's break down what this is
doing the script here is telling the website that this is a script to be run and not a standard piece of HTML then the document.right function is just a
piece of JavaScript that says dump this out as text hey but it can also take parameters
rather than just text yeah and it's going to output some valid HTML which is
a link to an image but that image is not held on the server held theoretically
elsewhere ok now the actual thing that is
returning an image is a PHP file not an actual image ok which also takes the parameter of the cookie which is a bit worrying alright so when I first went to this
blog i requested index dot PHP server started executing this and called the
session start function right which went oh he needs a session cookie and sent me
one okay in the response so I've then bagged
that session cookie and put it in my browser then when i visit that blog
again I've returned that session cookie to the
server to say it's me again yeah and so if i had if I had some some
persistence on this blog like I was in the middle of writing a document it was half
written it would remember who I was now so this cookie is stored by my browser
and theoretically the attacker can't get to it because on my browser and not theirs alright so what you have to do is trick
the browser into sending it back so the order that things happen are I then send a index.php request to
his blog to look at it ok it sends him back at a big website
with stuff on it including some comments one of which has a script in it it that says there's an image here you
need okay at this PHP file ok so I go oh brilliant, and I get my
document.cookie and I send it off to that PHP file and I get back an image
and I think nothing's gone wrong but they've now got my cookie >>But the cookie went off to the place
where the image was supposedly? and of course this will return an image but in some cases
it would return nothing and there will be no evidence that this happened at all, apart from if you actually looked at the source code for the file which of course
you know someone's going to do but no one no one normally is going to do so if
this got onto a forum or something lots of people could look at this before
they realize what was going on now it's not unusual for an image to be served by
script over by an actual hard link to an image because for example >>might be an advert or? It might be an advert dynamically created it could be
different it could be a resolution specified in there or you know a good
lots of different reasons why you do that ok so a lot of the time it's going to be
dynamically generated in some way so this is no different to that, except that this is also taking a parameter that it shouldn't be taking ok but I've got no
control over that and the the browser it's not that insecure it's just that
he's got no reason to doubt me you know scripts using document dot
cookies legitimately you know exist and if you block them then websites start
to fall down because they use cookies for persistence so it's a you know a real problem. Let's click Submit and see what happens >>so what have you done there you've refreshed it? Yeah & it didn't work, cause I've done it wrong You know what I didn't type in my name that's
why it didn't work so Mike right I'll take credit for this
one so we can submit that and then we run it ok and we scroll down and we got a Cookie Monster picture so kindly submit cookie dot PHP has taken my cookie and returned
an image ok now it's not unusual for people to
have images on comments or on forum posts and things so people have seen
this image apart from the fact that it's the cookie monster might not realize what
just happened ok it's completely silent it's happened
behind the scenes. All that's happened is they just quickly whipped their cookie off to someone
else and returned an image ok these kind of request for images happen
all the time it's just this one's got a cookie on it and that's bad news. As an attacker, this is my database and I select * from evil which is the name of my
table that's registering the cookie you can see what my session cookie now
phpsessid it's stuck in here so that's the session
cookie for that session of PHP now in this blog that doesn't have much effect
right firstly because i already have this cookie but mostly because there
isn't anything on this blog that having a cookie will help with right. It won't let
you get to my basket or get to my credit card details or login ok but if you did this on a website
where there was shopping involved or money involved or banking website and if
not properly coded it getting that session cookie could trick the bank into
thinking that you're resuming their session you know they could get so much
distance into let's say a transaction then you could steal their session go in
and just change the bank account details to yours right the bank doesn't really have any idea of
knowing that people's session cookies are the only thing that really tie them
to that that thing to that website I mean you can do more and complicated
things like you can you can pin IPs to session cookies for example right but
people's IPs change ok they might move from one Wi-Fi area
to another their IP changes do you necessarily want them to have to re-authenticate perhaps you do for security right but it
depends on the way website is developed this is sort of a prime example of a
time of check to time of use issue ok which is a security term which is
basically the idea of something changing between when someone authenticates and
when they do something and causing a security problem so i type in the
username password on Amazon right then ten minutes later I've wandered off
someone else turns up and spends all my money shipping stuff to their address ok now
that would be a problem so what Amazon does is, they force me to reauthenticate just before I actually type in my details ok right before you transact you can add loads of stuff to my basket without having to authenticate myself it's remember that from last time but as
soon as I actually have to do anything proper like spending any money it's going to ask me for my credentials
again same with online banking if i use my bank if I log into my online banking
i use some kind of chip & pin device to authenticate myself that lets me the
first time it lets me see my bank balances if i
want to send any money its going to ask me again because they can't risk me
wandering off by mistake leaving that browser open or someone having stole my cookie We keep carving away at this and what we'll end up with is something that looks nearly like a cube so we probably may be a bit of extra there
and a bit of extra there and there but we'll get it we're getting there ok now some objects obviously a more
amenable to this than others but the more images we get the better it is
