SEI Insights

CERT/CC Blog

Vulnerability Insights

Who Has My Cookies?

Posted on by in

Hi, Ryan Giobbi from the Vulnerability Analysis team making this post. The CERT/CC has been tracking cross-site scripting vulnerabilities for a long time, and the actual vulnerabilities haven't changed much over the years. However, some technology that was developed to make life easier can actually be exploited to expand the impact of a cross-site scripting attack. Single sign-on is an access-control technology that enables a user to login once and gain access to multiple systems. Some websites use single sign-on to allow access to multiple applications. While this type of authentication is convenient, it has the side effect of introducing an opportunity for an attacker to gain access to multiple systems by targeting a single vulnerable application.

Here's some background information on how some websites do authentication: many websites set cookies to identify, track, and authenticate users. Online services that use cookies for authentication are constrained by the browser's same origin policy. For example, the cookie set by http://mail.example.com cannot access the cookie set by http://www.example.com.

To support single sign-on, web applications may set one authentication cookie and structure their URLs to allow multiple sites to access the cookie. Under this architecture, a single XSS (cross-site scripting) vulnerability could affect numerous applications.

A few weeks ago, we saw a report of an XSS vulnerability in Google Spreadsheets over on Billy (BK) Rios's blog. These type of vulnerabilities are not rare, but this one was interesting because of its impact--Google uses single sign-on to manage access to many of their hosted applications.

Web application vendors can (and often do) plug XSS holes in their services to prevent exploitation of these types of vulnerabilities--but what can users do to protect themselves? The Securing Your Web Browser document has some good tips, and users should also consider how often they are logged into web applications. Certain XSS attacks (such as ones that steal authentication cookies) only work if the user is logged into the web application and has an authentication cookie on their system. To limit exposure to these types of vulnerabilities, users can uncheck "remember me on this computer" options on web-application login forms and can regularly delete cookies.

About the Author