September 11th, 2008

NoScript mitigates HTTPS cookie hijacking attacks

Posted by Ryan Naraine @ 6:36 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Firefox, Flash, Mozilla, Open source, Pen testing, Responsible disclosure, Vulnerability research, Web 2.0, Zero-day attacks

Tags: Attack, Cookie, NoScript, Ryan Naraine

The invaluable NoScript for Firefox plug-in just got a tad better.

According to Giorgio Maone, the developer behind the popular browser extension, a new experimental feature called “Forced Secure Cookies” has been added to NoScript v1.8.0.5 to mitigate the HTTPS cookie hijacking attack vector discussed at DEFCON 16 last month.

Enabled by default, [the new feature] can be disabled either globally, by toggling the noscript.secureCookies about:config preference, or for specific domains only, by listing them (space or comma separated) in the noscript.secureCookiesException about:config preference.

[ GALLERY: 10 free security utilities you should already be using ]

Maone described the new feature as a countermeasure against Mike Perry’s automated HTTPS cookie-hijacking attack (see CookieMonster tool) that’s unobtrusive and non-interactive:

NoScript 1.8.0.5 just intercepts the “Set-Cookie” headers which are being sent over encrypted connections and are not flagged as “Secure” yet, adding the missing attribute on the fly before the cookie is stored.
This way, only those cookies actually created in the context of an encrypted transaction are forcibly switched to “Secure”, and therefore sites having lower security requirements and needing insecure cookies to work as a non-sensitive persistence mechanism are less likely to break.
Obviously those sites creating session-identifier cookies over insecure channels and recycling them after secure authentication won’t be helped by this implementation, but it’s apparently not the case of GMail, for instance.
However, should that prove itself to be such a common pattern to be worth protecting, a check on HTTP/HTTPS switching could be added to erase any previously set domain cookie.

[ SEE: DEFCON 16: List of tools and stuff released ]

NoScript blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust. It is also used by Firefox browser users to  blocks blocks Flash and other potentially exploitable plugins  and provides powerful Anti-XSS protection.