(In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie Flags
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Kwon, Hyunsoo | - |
dc.contributor.author | Nam, Hyunjae | - |
dc.contributor.author | Lee, Sangtae | - |
dc.contributor.author | Hahn, Changhee | - |
dc.contributor.author | Hur, Junbeom | - |
dc.date.accessioned | 2021-08-31T15:57:19Z | - |
dc.date.available | 2021-08-31T15:57:19Z | - |
dc.date.created | 2021-06-19 | - |
dc.date.issued | 2020 | - |
dc.identifier.issn | 1556-6013 | - |
dc.identifier.uri | https://scholar.korea.ac.kr/handle/2021.sw.korea/58924 | - |
dc.description.abstract | HyperText Transfer Protocol (HTTP) cookies are widely used on the web to enhance communication efficiency between a client and a server by storing stateful information. However, cookies may contain private and sensitive information about users. Thus, in order to guarantee the security of cookies, most web browsers and servers support not only Transport Layer Security (TLS) but also other mechanisms such as HTTP Strict Transport Security and cookie flags. However, a recent study has shown that it is possible to circumvent cookie flags in HTTPS by exploiting a vulnerability in HTTP software that allows message truncation. In this paper, we propose a novel cookie hijacking attack called rot ten cookie which deactivates cookie flags even if they are protected by TLS by exploiting a weakness in HTTP in terms of integrity checks. According to our investigation, all major browsers ignore uninterpretable sections of the header of HTTP response messages and accept incorrect formats without any rejection. We demonstrate that, when combined with TLS or application vulnerabilities, this form of attack can obtain private cookies by removing cookie flags. Thus, the attacker can impersonate a legitimate user in the eyes of the server when cookies are used as an authentication token. We prove the practicality of our attack by demonstrating that our attack can lead five major web browsers to accept a cookie without any cookie flags. We thus present a mitigation strategy for the transport layer to preserve cookie security against our attack. | - |
dc.language | English | - |
dc.language.iso | en | - |
dc.publisher | IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC | - |
dc.title | (In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie Flags | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | Hahn, Changhee | - |
dc.contributor.affiliatedAuthor | Hur, Junbeom | - |
dc.identifier.doi | 10.1109/TIFS.2019.2938416 | - |
dc.identifier.scopusid | 2-s2.0-85071657168 | - |
dc.identifier.wosid | 000564172300001 | - |
dc.identifier.bibliographicCitation | IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, v.15, pp.1204 - 1215 | - |
dc.relation.isPartOf | IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY | - |
dc.citation.title | IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY | - |
dc.citation.volume | 15 | - |
dc.citation.startPage | 1204 | - |
dc.citation.endPage | 1215 | - |
dc.type.rims | ART | - |
dc.type.docType | Article | - |
dc.description.journalClass | 1 | - |
dc.description.journalRegisteredClass | scie | - |
dc.description.journalRegisteredClass | scopus | - |
dc.relation.journalResearchArea | Computer Science | - |
dc.relation.journalResearchArea | Engineering | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Theory & Methods | - |
dc.relation.journalWebOfScienceCategory | Engineering, Electrical & Electronic | - |
dc.subject.keywordAuthor | Cookie theft attack | - |
dc.subject.keywordAuthor | SSL/TLS | - |
dc.subject.keywordAuthor | hypertext transfer protocol | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
145 Anam-ro, Seongbuk-gu, Seoul, 02841, Korea+82-2-3290-2963
COPYRIGHT © 2021 Korea University. All Rights Reserved.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.