Path Leaks of HTTPS Side-Channel by Cookie Injection

  • Fuqing Chen
  • Haixin Duan
  • Xiaofeng Zheng
  • Jian Jiang
  • Jianjun Chen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10815)

Abstract

The TLS protocol is supposed to provide confidentiality to communication channel, preventing active and passive network attacks. However, researchers have presented several side-channel attacks against TLS protected communications, due to protocol design flaws or implementation problems. We present a new side-channel attack against HTTPS (HTTP over TLS) by exploiting cookie injection. Taking advantage of cookie’s weak Same Origin Policy (SOP), an attacker can inject arbitrary cookies into a victim’s browser if a website is not fully protected by HTTP Strict Transport Security (HSTS), the injected cookies can then be used to infer sensitive information of encrypted traffic initiated by the victim. We show two such side-channel attacks. The first allows the attacker to identify whether the victim is visiting a known sensitive URL or not. The second is able to reveal the full path of unknown URLs visited by the victim, exploiting cookie-path matching vulnerabilities in Internet Explorer, Edge, Safari, etc. With experiments, we investigate several popular cloud storage services and demonstrate that most of them (including Google Drive and Dropbox) are vulnerable to such attacks. The issues we discovered in Internet Explorer, Edge and Safari are also acknowledged by Microsoft (MSRC Case 39133, will be fixed in future version) and Apple (Case 666783646, has been fixed). Finally, we discuss potential defense and mitigation against these attacks.

Keywords

Privacy Side-channel attack HTTPS Cloud storage service Path leaks Cookie 

Notes

Acknowledgments

This work is supported by CERNET Innovation Project (No. NGII20160402).

References

  1. 1.
    Barth, A.: HTTP state management mechanism. IETF RFC 6265 (2011). https://tools.ietf.org/html/rfc6265
  2. 2.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. IETF RFC 5246 (2008). https://tools.ietf.org/html/rfc5246
  3. 3.
    Barth, A.: The web origin concept. IETF RFC 6454 (2011). https://tools.ietf.org/html/rfc6454
  4. 4.
    Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS). IETF RFC 6797 (2012). https://tools.ietf.org/html/rfc6797
  5. 5.
    Johnston, P., Moore, R.: Multiple browser cookie injection vulnerabilities (2004). http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt
  6. 6.
    Chen, S., Ziqing, M., Yi-Min, W., Ming, Z.: Pretty-bad-proxy: an overlooked adversary in browsers’ HTTPS deployments. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 347–359. IEEE Computer Society (2009).  https://doi.org/10.1109/SP.2009.12
  7. 7.
    Zheng, X., Jiang, J., Liang, J., Duan, H., Chen, S., Wan, T., Weaver, N.: Cookies lack integrity: real-world implications. In: 24th USENIX Security Symposium, USENIX Security 2015, Washington, D.C., pp. 707–721 (2015)Google Scholar
  8. 8.
  9. 9.
    Coull, S.E., Collins, M.P., Monrose, F., Reiter, M.K., Wright, C.V.: On web browsing privacy in anonymized NetFlows. In: 16th USENIX Security Symposium, pp. 339–352 (2007)Google Scholar
  10. 10.
    Danezis, G. Traffic analysis of the HTTP protocol over TLS (2008). http://www.cs.ucl.ac.uk/staff/G.Danezis/papers/TLSanon.pdf
  11. 11.
    Luo, X., Zhou, P., Chan, E.W.W., Lee, W., Chang, R.K.C., Perdisci, R.: HTTPOS: sealing information leaks with browser-side obfuscation of encrypted flows. In: Proceedings of the Network and Distributed Systems Symposium (NDSS), San Diego, California, USA (2011)Google Scholar
  12. 12.
    Wright, C.V., Coull, S.E., Monrose, F.: Traffic morphing: an efficient defense against statistical traffic analysis. In: Proceedings of the Network and Distributed Systems Symposium (NDSS), pp. 237–250. IEEE (2009)Google Scholar
  13. 13.
    Rizzo, J., Duong, T.: The CRIME attack. In: Ekoparty Security Conference (2012)Google Scholar
  14. 14.
    Gluck, Y., Harris, N., Prado, A.: BREACH: reviving the CRIME attack (2013). http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
  15. 15.
    Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco (2012)Google Scholar
  16. 16.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Fuqing Chen
    • 1
  • Haixin Duan
    • 1
  • Xiaofeng Zheng
    • 1
  • Jian Jiang
    • 2
  • Jianjun Chen
    • 1
  1. 1.Tsinghua UniversityBeijingChina
  2. 2.University of CaliforniaBerkeleyUSA

Personalised recommendations