Have you ever wondered how some Web sites personalize their visitors? This can be expressed, for example, in remembering the contents of the “cart” (if this node is intended for selling goods) or in the way of filling out the fields of some form. In the HTTP protocol underlying the operation World Wide Web, there are no tools that allow you to track events from one visit to a node to another, so a special add-on was developed to be able to store such “states”. This mechanism, described in RFC 2109, ensures that special fragments are inserted into transmitted HTTP requests and responses. cookie data, allowing Web sites to track their visitors.
Cookie data may be stored for the duration of the communication session ( per session), while remaining in random access memory during one session and being deleted when the browser is closed, or even after a specified period of time has elapsed. In other cases they are permanent ( persistent), remaining on the user's hard drive as a text file. They are usually stored in the Cookies directory (%windir%\Cookies on Win9x and %userprofile%\Cookies on NT/2000). It is not difficult to guess that after the capture cookies on the Internet, an attacker can impersonate a user of this computer, or collect contained in these files important information. After reading the following sections, you will understand how easy it is to do.
Cookie interception
The most direct method is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. This problem can be solved using any packet interception utility, but one of the best is Lavrenty Nikula’s program ( Laurentiu Nicula) SpyNet/PeepNet. SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and stores it on disk, and the PeepNet utility opens the file and converts it into a human-readable format. The following example is a fragment of a communication session reconstructed by PeepNet, during which the cookie serves to authenticate and control access to the pages viewed (names have been changed to maintain anonymity).
GET http://www.victim.net/images/logo.gif HTTP/1.0 Accept: */* Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid=96114024278141622; cuid=TORPM!ZXTFRLRlpWTVFISEblahblah
The example above shows a cookie fragment placed in an HTTP request coming to the server. The most important is the field cuid=, which specifies a unique identifier used for user authentication on the www.victim.net node. Let's say that after this the attacker visited the victim.net node, received his own identifier and a cookie (it is assumed that the node does not place the cookie data in virtual memory, but writes it to HDD). The attacker can then open his own cookie and replace the cuid= field ID with it from the captured packet. In this case, when logging into the victim.net server, he will be perceived as the user whose cookie data was intercepted.
Program ability PeepNet replaying the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. Using a button Go get it! You can re-fetch the pages a user viewed using their cookie data previously captured by CaptureNet. In the PeepNet utility dialog box you can see information about someone’s completed orders. This uses cookie data intercepted by CaptureNet for authentication. Note the frame located in the lower right corner of the session data dialog box and the line that follows the Cookie: line. This is the cookie data used for authentication.
It's a pretty neat trick. In addition, the utility CaptureNet can provide a complete decrypted record of traffic, which is almost equivalent to the capabilities of professional-grade utilities such as Network Associates, Inc.'s Sniffer Pro. However, the utility SpyNet Even better - you can get it for free!
Countermeasures
You should be wary of sites that use cookies for authentication and storing sensitive identification information. One tool that can help with security is Kookaburra Software's Cookie Pal, which can be found at http://www.kburra.com/cpal.html. This software You can configure it to generate warning messages for the user when a Web site attempts to use the cookie mechanism. In this case, you can "look behind the scenes" and decide whether these actions should be allowed. IN Internet Explorer There is a built-in cookie support mechanism. To enable it, launch the Internet Options applet in Control Panel, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and for permanent and temporary cookie data, set the switch to Prompt. Setting up the use of cookies in the Netscape browser is done using the command Edit › Preferences › Advanced and setting the Warn me before accepting a cookie or Disable cookies mode (Fig. 16.3). When you accept a cookie, you need to check whether it is written to disk and see if the Web site collects information about users.
When visiting a site that uses cookies for authentication, you must ensure that the username and password you initially provide are at least SSL encrypted. Then this information will appear in the PeepNet program window, at least not in the form of plain text.
The authors would prefer to avoid cookies entirely if many frequently visited Web sites did not require this option. For example, for the worldwide popular Hotmail service Microsoft Cookies are required for registration. Since this service uses several different servers during the authentication process, adding them to the Trusted Sites zone is not so easy (this process is described in the section "Using Security Zones Wisely: Common decision Activex Element Problems") The *.hotmail.com notation will help in this case. Cookies are not a perfect solution to the problem of incomplete HTML protocol, but alternative approaches seem to be even worse (for example, appending an identifier to the URL, which can stored on proxy servers) Until a better idea comes along, the only option is to control cookies using the methods listed above.
Capture cookies via URL
Let's imagine something terrible: Internet Explorer users click on specially crafted hyperlinks and become potential victims, risking their cookies being intercepted. Bennett Haselton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) from the teen organization Peacefire, which advocates for freedom of communication via the Internet, published a script that brings this idea to life. This script retrieves cookies from the client computer when its user clicks on a link contained on this page. As a result, the contents of the cookie become available to Web site operators.
This feature can be used for nefarious purposes by embedding IFRAME descriptors in the HTML code of a Web page, email message, HTML format or messages from a newsgroup. The following example, provided by security consultant Richard M. Smith, demonstrates the ability to use IFRAME handles with a utility developed by Peacefire.