Some CSRF protection mechanisms are vulnerable to attackers who can write cookies. Others are not but incur extra complexity or computational cost.
Help me understand the cost/benefit. What conditions enable attackers to write cookies for a domain?
Asked
Active
Viewed 122 times
2 Answers
2
One interesting scenario is HTTP vs HTTPS cookies. With an HTTPS site, man-in-the-middle attacks are not normally possible. However, if the user requests an HTTP site, a MITM attacker can tamper with the communication, include an iframe reference to the domain they want to target, and within the iframe write to cookies. Although this communication is over HTTP, cookies set here affect the HTTPS cookie store. I wrote about this some years ago.
paj28
- 32,906
- 8
- 93
- 130
-
Is this a form of SSL stripping attack? I assume that [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) is meant to tackle this? – Gili Jun 28 '14 at 19:43
-
@Gili: No, it is not SSL stripping. This could be done before the browser has the HSTS policy set for your site, therefore a plain HTTP connection will be possible that the attacker can also setup by an IFrame or any other request (e.g. an image HTTP response could set a cookie). – SilverlightFox Jun 28 '14 at 19:57
-
@Gili - I think HSTS does help significantly, although as SilverlightFox says, it's not 100%. You could edit your question to describe the defences your site is using (TLS, HSTS, etc.) to get more targeted answers – paj28 Jun 28 '14 at 20:10
-
@paj28, Thank you for the comment. This question is meant to inform readers of possible attack vectors for writing cookies. Once readers have a comprehensive list, they can then research how to protect against each one. I'm personally aware of sub-domain attacks, and TLS/HSTS but I want to make sure I'm not missing any other attack vectors. – Gili Jun 29 '14 at 19:34