Browsers face triple threat

Polish security researcher Michael Zalewski has highlighted three bugs in the handling of cookies that he says could be used to carry out attacks on commercial websites.

The bugs, for which Zalewski has coined the term "cross site cooking", are fundamental to the design and implementation of cookies - and one was first disclosed eight years ago, but still hasn't been fixed in the major browsers.

"These shortcomings make it possible (and alarmingly easy) for malicious sites to plant spoofed cookies that will be relayed by unsuspecting visitors to legitimate, third-party servers," he said in a post to the BugTraq security mailing list.

He said "cooking" attacks could be used against commercial sites to overwrite stored preferences, session identifiers, authentication data and shopping cart contents, possibly allowing fraudulent activity. On some sites, attackers may be able to acquire false credentials, Zalewski said. "Numerous web scripts are an easy target of specific variants of the attacks described below," he said.

Cookies are used to provide more interactivity to users, allowing the site to "remember" preferences, shopping cart contents and other information.

The first problem involves the way browsers handle the domain specified in a cookie. Browsers should theoretically reject cookies where the domain is specified too broadly, but the mechanism doesn't work in Mozilla-based browsers, though Internet Explorer doesn't seem to be affected, Zalewski said.

The bug leaves some sites with international domain names open to certain types of attacks, Zalewski said. "One can set a cookie for *.com.pl or *.com.fr, and override or corrupt credentials or other parameters on hundreds of thousands e-commerce websites in that country," he said. "It will be also possible to plant attacker's session ID on visitor's computer, and effectively, steal his credentials when he decides to sign in on the target site."

The only solution to this problem would be to make alterations in the HTTP cookie format, Zalewski said. As a workaround, browsers could implement a list of potentially affected top-level domains.

A variant on this bug is that browsers - including Firefox and Internet Explorer - don't check to see if anything is between the periods in a domain name specified by a cookie. "One can set a cookie for ".com.", then bounce the visitor to http://www.victim.com./," Zalewski said.

He said this second issue was first highlighted eight years ago by researcher Benjamin Franz. "Vendors were notified in 1998, and certainly are not in a hurry to fix this," he said.

However, the solution to this problem lies with browser vendors, Zalewski argued - they should strip the "idle" periods out of cookie domain data.

Finally, Zalewski outlined a trick that he said could be easily used to force random visitors to a site to accept and relay malicious cookies to third-party sites. "Using this trick, a brand new identity may be temporarily bestowed upon the user, and used to perform certain undesirable or malicious tasks on the target site," he said.

Zalewski argued sites can lower the risk of this third type of attack by taking more care in the way they handle requests, specifically, requiring and carefully validating HTTP/1.1 "Host" headers. "This ensures that the browser's idea of who he's talking to matches the site's canonical name," he said.