{"id":1512,"date":"2014-09-27T02:02:35","date_gmt":"2014-09-27T02:02:35","guid":{"rendered":"http:\/\/nethemba.com\/de\/cookie-jar-overflow\/"},"modified":"2014-09-27T02:02:35","modified_gmt":"2014-09-27T02:02:35","slug":"cookie-jar-overflow","status":"publish","type":"post","link":"https:\/\/nethemba.com\/de\/cookie-jar-overflow\/","title":{"rendered":"Cookie Jar Overflow"},"content":{"rendered":"

HttpOnly pr\u00edznak pri cookies zabra\u0148uje, aby sa pomocou Javascriptu dala ich hodnota na\u010d\u00edta\u0165 alebom meni\u0165. Je jedn\u00fdm z opatren\u00ed, ktor\u00e9 sl\u00fa\u017ei ako prevencia proti \u010fal\u0161\u00edm \u00fatokom, napr\u00edklad kradnutie session v spojeni so „Session Fixation“ (viac na https:\/\/www.owasp.org\/index.php\/Session_fixation<\/a>).<\/p>\n

Predpokladajme, \u017ee aplik\u00e1cia zranite\u013en\u00e1 na „Session Fixation“ nastav\u00ed HttpOnly pr\u00edznak pre session cookie.<\/p>\n

\u00dato\u010dn\u00edk v be\u017en\u00fdch pr\u00edpadoch nedok\u00e1\u017ee<\/strong> spravi\u0165 nasledovn\u00e9:<\/p>\n

    \n
  1. Prist\u00fapi\u0165 ku cookie, zmeni\u0165 jej hodnotu<\/li>\n
  2. Po\u010dkat, a\u017e sa pou\u017e\u00edvate\u013e op\u00e4tovne prihl\u00e1si<\/li>\n
  3. Nastavi\u0165 si u\u017e pre neho zn\u00e1mu hodnotu cookie u seba a z\u00edska\u0165 t\u00fdm pr\u00edstup k jeho session<\/li>\n<\/ol>\n

    Problematick\u00fd je prv\u00fd bod, v pr\u00edpade, \u017ee by sme napr\u00edklad na\u0161li zranitelnos\u0165 typu XSS, dok\u00e1zali by sme vytvori\u0165 in\u00e9 cookies bez HttpOnly pr\u00edznaku<\/strong> (ktor\u00fd by Javascript tie\u017e nemal umo\u017eni\u0165 ani nastavi\u0165). Tento fakt n\u00e1m o chv\u00ed\u013eu pom\u00f4\u017ee.<\/p>\n

    V minulosti sa u\u017e objavilo nieko\u013eko \u00fatokov, ako prist\u00fapi\u0165 cez Javascript k
    \nHttpOnly cookies, napr\u00edklad     CVE-2012-0053<\/a> pre niektor\u00e9 verzie webov\u00e9ho servera Apache.<\/p>\n

    Jedna z celkom elegantn\u00fdch technik, ktor\u00fa ju aktu\u00e1lne mo\u017en\u00e9 pou\u017ei\u0165 pri v\u00e4\u010d\u0161ine prehliada\u010dov v poslednej verzii (testovan\u00fd Firefox 32.0.3, Google Chrome 37.0.2062.124) je „Cookie Jar Overflow“.<\/p>\n

    Webov\u00fd prehliada\u010d si uklad\u00e1 pre konkr\u00e9tne dom\u00e9ny v r\u00e1mci Same Origin Policy (SOP) len ist\u00fd po\u010det cookies a pokia\u013e ich dok\u00e1\u017ee \u00fato\u010dn\u00edk vygenerova\u0165 dostato\u010dn\u00e9 mno\u017estvo, tie p\u00f4vodne „vypadn\u00fa“ a m\u00f4\u017ee ich e\u0161te raz vytvori\u0165, tentokr\u00e1t bez HttpOnly pr\u00edznaku. Kv\u00f4li SOP obmedzeniu je nutn\u00e9 str\u00e1nku na\u010d\u00edta\u0165 v r\u00e1mci rovnakej „document.domain“ (\u010do vo v\u00e4\u010dsine pr\u00edpadov znamen\u00e1 n\u00e1js\u0165 \u010fal\u0161iu XSS zranite\u013enos\u0165).<\/p>\n

    \u00datok bol demon\u0161trovan\u00fd v knihe The Browser Hacker’s Handbook<\/a>. Ni\u017e\u0161ie uv\u00e1dzam k\u00f3d v takmer nezmenenej forme, funguje nasledovne:<\/p>\n