Abstract
The TLS protocol is supposed to provide confidentiality to communication channel, preventing active and passive network attacks. However, researchers have presented several side-channel attacks against TLS protected communications, due to protocol design flaws or implementation problems. We present a new side-channel attack against HTTPS (HTTP over TLS) by exploiting cookie injection. Taking advantage of cookie’s weak Same Origin Policy (SOP), an attacker can inject arbitrary cookies into a victim’s browser if a website is not fully protected by HTTP Strict Transport Security (HSTS), the injected cookies can then be used to infer sensitive information of encrypted traffic initiated by the victim. We show two such side-channel attacks. The first allows the attacker to identify whether the victim is visiting a known sensitive URL or not. The second is able to reveal the full path of unknown URLs visited by the victim, exploiting cookie-path matching vulnerabilities in Internet Explorer, Edge, Safari, etc. With experiments, we investigate several popular cloud storage services and demonstrate that most of them (including Google Drive and Dropbox) are vulnerable to such attacks. The issues we discovered in Internet Explorer, Edge and Safari are also acknowledged by Microsoft (MSRC Case 39133, will be fixed in future version) and Apple (Case 666783646, has been fixed). Finally, we discuss potential defense and mitigation against these attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barth, A.: HTTP state management mechanism. IETF RFC 6265 (2011). https://tools.ietf.org/html/rfc6265
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. IETF RFC 5246 (2008). https://tools.ietf.org/html/rfc5246
Barth, A.: The web origin concept. IETF RFC 6454 (2011). https://tools.ietf.org/html/rfc6454
Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS). IETF RFC 6797 (2012). https://tools.ietf.org/html/rfc6797
Johnston, P., Moore, R.: Multiple browser cookie injection vulnerabilities (2004). http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt
Chen, S., Ziqing, M., Yi-Min, W., Ming, Z.: Pretty-bad-proxy: an overlooked adversary in browsers’ HTTPS deployments. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 347–359. IEEE Computer Society (2009). https://doi.org/10.1109/SP.2009.12
Zheng, X., Jiang, J., Liang, J., Duan, H., Chen, S., Wan, T., Weaver, N.: Cookies lack integrity: real-world implications. In: 24th USENIX Security Symposium, USENIX Security 2015, Washington, D.C., pp. 707–721 (2015)
Vranken, G.: HTTPS bicycle attack (2015). https://guidovranken.wordpress.com/2015/12/30/https-bicycle-attack/
Coull, S.E., Collins, M.P., Monrose, F., Reiter, M.K., Wright, C.V.: On web browsing privacy in anonymized NetFlows. In: 16th USENIX Security Symposium, pp. 339–352 (2007)
Danezis, G. Traffic analysis of the HTTP protocol over TLS (2008). http://www.cs.ucl.ac.uk/staff/G.Danezis/papers/TLSanon.pdf
Luo, X., Zhou, P., Chan, E.W.W., Lee, W., Chang, R.K.C., Perdisci, R.: HTTPOS: sealing information leaks with browser-side obfuscation of encrypted flows. In: Proceedings of the Network and Distributed Systems Symposium (NDSS), San Diego, California, USA (2011)
Wright, C.V., Coull, S.E., Monrose, F.: Traffic morphing: an efficient defense against statistical traffic analysis. In: Proceedings of the Network and Distributed Systems Symposium (NDSS), pp. 237–250. IEEE (2009)
Rizzo, J., Duong, T.: The CRIME attack. In: Ekoparty Security Conference (2012)
Gluck, Y., Harris, N., Prado, A.: BREACH: reviving the CRIME attack (2013). http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco (2012)
Apache: apache core features (2017). http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize
Acknowledgments
This work is supported by CERNET Innovation Project (No. NGII20160402).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Chen, F., Duan, H., Zheng, X., Jiang, J., Chen, J. (2018). Path Leaks of HTTPS Side-Channel by Cookie Injection. In: Fan, J., Gierlichs, B. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2018. Lecture Notes in Computer Science(), vol 10815. Springer, Cham. https://doi.org/10.1007/978-3-319-89641-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-89641-0_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-89640-3
Online ISBN: 978-3-319-89641-0
eBook Packages: Computer ScienceComputer Science (R0)