auto cookie analysis

8/11/2019 Auto Cookie Analysis

1/26

Start Secure. Stay Secure.

Are your web applications vulnerable?

By Darrin Barrall

Automated Cookie Analysis


2/26



Table of Contents

Introduction 1

The Basics 1

Collecting Cookies 2

Sets 3

Randomness 5

Encoding 7

Subcookies 8

Graphical Analysis 9

Prediction 20

Summary 21

References 21

Disclaimer 21

The Business Case for Application Security 21

About SPI Labs 22

About SPI Dynamics 22

About the WebInspect Product Line 23

About the Author 24

Contact Information 24

2005 SPI Dynamics, Inc. All Rights Reserved.No reproduction or redistribution without written permission.

ii


3/26



IntroductionThis paper examines a series of mathematical and theoretical attacks againstWeb applications that use cookies, and discusses the feasibility of automatingthe process and exploiting any weaknesses detected. The methodologyreflects the perspective of an attacker who has no prior knowledge of howcookies are designed or implemented for a specific Web application.

A Web-based system typically uses a cookie as a reference to data already

stored on the server, and operates under the assumption that only a specificuser knows the contents of the cookie. This system is vulnerable to attack ifa malicious user can predict the cookie that will be assigned to another user.The attacker can then hijack a legitimate users session by using thecounterfeit cookie.

When a Web server generates cookies in a truly random fashion, an intruderhas little (if any) chance of correctly fabricating a cookie that can be used toattack the site. However, if an attacker can identify a pattern to the mannerin which cookie values are assigned, he may easily generate an HTTP requestthat includes a cookie that will be accepted by the server. For example, if theWeb server generates a series of four cookies having values of 2, 4, 6, and 8,its a good bet that the fifth cookie will have a value of 10. Therefore, theability to predict the value of a valid cookie is inversely related to the degreeof randomness with which the cookie was generated.

The BasicsAt a minimum, a cookie is name and value pair used to retain a value forfuture reference. For example:

SmallCookie=1234.


1


4/26



The example shows a cookie named SmallCookie having a value of 1234.Frequently, several cookies are used, so each additional cookie should have adistinct name. Otherwise, a value intended to be stored would be lost. Acookie may have other attributes, such as an expiration date. It is possiblethat the attribute values may play a role during analysis, but this paperfocuses on the value portion of the cookie.

The common usage of cookies is to manage the state of a remote users

interaction with a web server. Keep this in mind when collecting cookies foranalysis. A cookie collected before signing into a system may be radicallydifferent from the cookie assigned after signing in. Using a mix and match ofthese cookies could invalidate the analysis, so accurate data collection is animportant first step.

Collecting CookiesThere are plenty of variables that determine or limit how many cookiesamples are necessary for testing. These include:

Algorithms used

Acquisition time

Computing resources

Some statistical methods require thousands or more data points, whilesimpler procedures may require only two. If it takes 10 minutes to acquireeach sample, maybe you should adjust your algorithms to work with a smallnumber of samples. Brute-force number-crunching requires adequate

computing hardware (unless you happen to be unnaturally patient). Reducingthe amount of data to be processed can speed up the analysis.


2


5/26



While collecting the cookies, record a time associated with the cookie. Thiscould be the servers timestamp in the HTTP response header, your localtime, or some other convenient time. Having a known range of time valuesand associated cookie values is an aid when predicting a cookie value for aspecific time in the future.

Another factor to consider is the reproducibility of the conditions that areused to collect the cookies. Your software may use several different network

endpoint ports. You could remove this influence by analyzing the cookiesgrouped by the port that received them. There is no requirement that thetargeted web server use the remote port number. Consequently, there maybe no advantage gained by grouping the cookies in this manner. Since theprocess used to compose the cookie is unknown, we can only hypothesizeand then test.

SetsSince we are taking a zero-knowledge approach to what the cookie mayrepresent, the first step is to figure out what the cookie, or parts of it, mayrepresent. We begin by defining some sets:


3


6/26



Set Members

Numbers (n) 0-9

Hexadecimal (h) 0-9, A-F, a-f

Alphabetic (a) A-Z, a-z

Text (t) 0-9, A-Z, a-z

Delimiters (d) !0-9, !A-Z, !a-z

Other everything else

For each byte of a cookie, create a list of the smallest set to which the bytebelongs. For the cookie value 12345:DBD, the set list would be

nnnnndhhh. The last three characters are members of both hexadecimaland alphabetic sets, but are recorded as hexadecimal because that is thesmallest set containing these characters. Processing a second cookie value

12349:SCV yields nnnnndaha, and a third 12355:MFA into nnnnndahh. Combining the three results gives us nnnnndaha.

12345: DBD nnnnndhhh12349: SCV nnnnndaha12355: MFA nnnnndaha

Notice that each of the last three columns of characters (DSM, BCF, DVA) aremixed hexadecimal and alphabetic, though the middle column is all

hexadecimal. This introduces the possibility that the middle character isactually an alphabetic character, (and our data set is flawed) or that it is


4


7/26



really a hexadecimal value and has some special significance. Lets explorethe first possibility.

Suppose we adjust the character set of the columns to reflect the charactertypes of the columns that surround them. Numeric characters surrounded bymore numeric characters are probably numeric values and do not needadjustment. If a few hexadecimal values were scattered among the numericvalues, we could consider the whole sequence to be a hexadecimal value and

adjust the set accordingly.

The last three columns demonstrate this effect, but with hexadecimal andalphabetic types. If we adjust the character set accordingly, the result is

nnnnndaaa. The unknown data has been turned into a number and a textstring, separated by a delimiter character. Since it is unlikely that the secondpart has any hexadecimal properties, text-specific tests can be applied to thesecond part of the cookie.

RandomnessPart of the cookie, from the previous example, is a number. What kind ofnumber could it be? From an informational standpoint, there are two types ofnumbers: random and non-random. Mathematical analysis of numbers canhelp detect non-random sequences. One such test is Chi-Squared , describedby its author as useful for those evaluating pseudorandom numbergenerators for encryption and statistical sampling applications, compressionalgorithms, and other applications where the information density of a file isof interest. In other words, this nifty number cruncher gives an indication ofnon-randomness the likelihood that the number computed rather than

randomly generated. When a cookie is the result of a computational process,it becomes possible for an outsider to reproduce the process.


5
http://www.fourmilab.ch/random/http://www.fourmilab.ch/random/


8/26



Another test for randomness, or the lack of it, is correlation. A correlationcoefficient indicates how well the cookie values follow a line when the valueof each cookie is plotted (on the Y axis) against the time the cookie wasreceived (on the X axis). A scattered distribution indicates randomness,whereas a pattern approaching a line indicates predictability. When thisoccurs, a cookie value for any time in the future can be predicted within arange with statistical certainty.

Randomness can also be evaluated by checking character frequencies. Givenenough cookies, each different character would have an equal chance ofappearing. If a cookie were determined to consist of numeric values only,then each character (0-9) should make up 10 percent of the total number ofbytes of all cookies. The expected distribution of characters of the alphabeticset would be approximately 1.9 percent. A deviation from the expecteddistribution could indicate that only a subset of the character set is used. Asan example, consider the range of 1 to 32767. Since 0-9 are in use, a 10percent distribution would be expected. But if the leftmost column is limited

to 1, 2, or 3, there will be somewhat more ones and twos found along with afew more threes, skewing the results. Since a skewed distribution canindicate the range of the values that are in play, a brute-force attack may bea viable alternative because we have some knowledge of the range of validdata.

Yet another method is to check the number of bits that change between onecookie and the next. Here again, the character set of the cookie dataestimates the level of randomness. Within a single character between onecookie and the next, half of the number of bits needed to represent thecharacter set should change to maximize the number of possible results.When a cookie consists of hexadecimal (0-9, A-F or a-f) characters, four bits


6
http://mathworld.wolfram.com/CorrelationCoefficient.htmlhttp://mathworld.wolfram.com/CorrelationCoefficient.htmlhttp://mathworld.wolfram.com/CorrelationCoefficient.htmlhttp://mathworld.wolfram.com/CorrelationCoefficient.html


9/26



are needed to represent the character set, so typically two bits shouldchange per character from one cookie to the next. The larger alphabetic setrequires approximately 4.7 bits to represent the A-Z range, and 5.7 bits forboth upper and lower case sets. Comparing the expected bit changes to themeasured bit changes will point out the more static portions of a value.

An interesting side effect of tracking the bit changes is the detection ofincrementing or decrementing values. For hexadecimal values, from one

value to the next, the pattern of bit changes is 1,2,4. The ratio holds evenwhere there are missing values, although more samples are necessary.

EncodingA side effect of character frequencies is the detection of base-n encoding.The most common methods are base-16 (hexadecimal), and base-64(mime). The normal representation of hexadecimal encoding is the familiar0-9/A-F set, but those characters can be translated into a completelydifferent set of characters (A-P, for instance). To detect the possibility ofencoding being used, count the number of unique characters used among allof the cookies. When the count happens to be approximately a power of 2 (8,16, 32, and so on), some sort of encoding may be in use. It is anapproximate estimation because there is the possibility that a character ortwo is reserved as a delimiter, or a padding character. Setting the decodingmatrix becomes a cryptanalysis exercise if the encoding matrix is not known.A simple example of a decoding matrix for the A-P example is to assign aunique four-bit value to each character:

0000 A

0001 B0010 C

. . .


7


10/26



1110 O

1111 P

Each character in a cookie would be replaced by its associated four-bit value,until there are enough bits to form a new value large enough for convenientanalysis.

Encoding is not limited to powers of two. Perhaps it is simply the 0-9 rangeexpressed as text, or 1-12 (as in months) expressed as unique characters.The possibilities are limited only by the craftiness of the cookie-creatingcoders.

SubcookiesWhen a cookie comprises several independent pieces of data, each individualportion of the cookie can be called a subcookie. The pieces of the subcookiemay conveniently have their own names and delimiters, or the separationmay be very subtle. When there are names and delimiters, break up thecookies and restart the analysis with each piece. A subtle approach to

delimiting cookies is to use a character that does not belong in the encodingmatrix, but appears to be part of the character set used by the rest of thecookie. A simple example shows a hexadecimal cookie encoded with theletters from A to P matrix, and uses W for a delimiter. The number of Wswould be a multiple of the count of cookies being processed, while the rest ofthe characters in the set follows the random value character frequencies.

The next easiest-to-detect subcookie is the one that contains an abruptchange in the character sets used. The most striking example is a transition

of numeric data to text data. Simply cut on the dotted line and analyze theseparated pieces.


8


11/26



Another type of subcookie is manufactured, not found. When the cookiesbeing tested have varying lengths, delimited columns may not line up wellenough to stand out. Adding some padding to the cookies and retesting themmay expose some interesting aspects. Choosing a padding character is asimple matter of picking a character that is unused in the cookies, or will notaffect the value of the cookie.

Graphical Analysis

It is said that a picture is worth a thousand words, but with cookies, athousand cookies is worth a picture. The values of cookies, once decoded,can be graphed in several ways that may betray hidden patterns.

Graphing the character set of cookies is a visual way of comparing therelative sizes of parts of a cookie, or pointing out the delimiters.

The following graph shows a numeric value followed by a text value.


9


12/26



A graph of the frequencies of characters in the cookies could expose severalanomalies. The presence of a particular character relative to the othercharacters could indicate how the usage of that character differs from theusage of the others.

The following graph shows cookies that have an unusual frequency of theletter W: the number of Ws is exactly the same as the number of cookies.


10


13/26




11


14/26



Before exploring the implications of this information, lets look at anothergraph.

Considering the position of the steep dip in the previous graph (no bitchanges) and that the frequency graph shows that the number of Wcharacters is equal to the number of cookies, it may be that this column hassome special meaning within the cookie. Since it does not change, perhaps itis a boundary of some kind. A spike like this would be a good candidate to betreated as a boundary between two subcookie values.

Consider the two seven-bit ASCII characters J and 5. From one character tothe next, all seven bits are different, but to change all seven bits again, you

could only alternate between the two characters. Though many bits change,the result is far from random. The maximum randomness using a seven-bitvalue would be found when an average of 3.5 bits change from one value to


12


15/26



the next. A hexadecimal value, represented by just four bits, would show anaverage change of two bits from one character to the next.

The graph of bit changes shows a quickly recognizable curve when the cookievalues increment somewhat regularly.


13


16/26



A simple value versus time graph plainly shows an incrementing cookievalue as a line, or something that approximates a line. The correlation valueindicates how well the cookie values follow the line. This graph shows acookie that is very likely an incrementing count. The jump near the middlewas caused by pausing the cookie collection for a short time, though theprocess generating the values did not pause.


14


17/26




15


18/26



The following graph shows the presence of multiple cookie sources. At firstglance, this set of cookies looks quite random, but there appear to be threeseparate bands of values.

The strategy here is to separate the cookies into three groups, accordingtheir relative location on the graph, and test each group independently.Testing only the cookies found across the lowest band of the graph shows anicely sequential set of cookies where there appeared to be chaos.


16


19/26



Separating and graphing the other two groups of cookies results in two moresimilar graphs.

This result seems to indicate that there are three independent cookiesources. Perhaps there are three servers behind a load-balancing system.

Randomness shows itself nicely in a disk plot. Here a cookies value is plottedagainst the sine and cosine functions. When random data is plotted, thepoints are evenly distributed around the plotting area.


17
http://mathworld.wolfram.com/DiskPointPicking.htmlhttp://mathworld.wolfram.com/DiskPointPicking.html


20/26



Misuse of a random-number generator or a weak random-number source willdraw a visually interesting picture, as shown in the following graph.


18


21/26



The values have separated into discrete bands because of the limited rangeof values that result when a smaller value is multiplied with a larger value.Some systems use a decimal-based random-number generator where theresult is in the range of 0 to 1 (such as 0.705152). If this number weremultiplied by 1,000,000,000 the result would be 705,152,000. Notice howthe last digits are 000, because the multiplicand has just six digits, while themultiplier has nine. Since the random source has just six digits, the resultwill always end with 000, so all values generated this way will fall into rangesseparated by approximately 1,000. An attacker spotting this pattern canreduce the number of trials needed for a brute-force attack by simplyskipping every one thousandth cookie.


19


22/26



A simple incrementing value becomes an interesting helix when graphed as adisk plot.

PredictionIn those rare cases where the correlation approaches 1, or Chi is favorableand the cookies are predictable, run the numbers. Sometimes, it is a simplecase of linear regression where the result is accompanied by a range ofpossible values. At other times, you may need to call up your college

roommate who now works at the NSA.


20
http://mathworld.wolfram.com/LinearRegression.htmlhttp://mathworld.wolfram.com/LinearRegression.html


23/26



Once you have settled on a value, or range of possible cookie values, use atool such as SPI Dynamics HTTP Editor to insert your calculated cookie intothe request in place of the one assigned by the server. If you have a longhistory of winning lotteries and manage to pick the right cookie value, youwill become (to the web server) whoever happened to get the same cookie(through proper channels).

Summary

Cookie analysis and prediction is an intensive application of mathematics,information theory, and even cryptanalysis. Though cookies are hidden frommost users, and can be obfuscated, methodical analysis can expose a patternthat can be useful to an intruder who can crunch the numbers. While thetechniques covered here lend themselves to unattended operation, adding alittle interaction and ingenuity will allow a determined intruder anotheravenue of attack.

Referenceshttp://mathworld.wolfram.com/

http://wwww.fourmilab.ch/

DisclaimerThe cookie values to generate the graphs displayed were mostly generatedby software to clearly illustrate the concept discussed. However, all of theconcepts have been observed in use by various real websites around theInternet.

The Business Case for Application SecurityWhether a security breach is made public or confined internally, the fact thata hacker has accessed your sensitive data should be a huge concern to yourcompany, your shareholders and, most importantly, your customers. SPI


21
http://mathworld.wolfram.com/http://wwww.fourmilab.ch/http://wwww.fourmilab.ch/http://mathworld.wolfram.com/


24/26



Dynamics has found that the majority of companies that are vigilant andproactive in their approach to application security are better protected. In thelong run, these companies enjoy a higher return on investment for their e-business ventures .

About SPI LabsSPI Labs is the dedicated application security research and testing team ofSPI Dynamics. Composed of some of the industrys top security experts, SPI

Labs is focused specifically on researching security vulnerabilities at the webapplication layer. The SPI Labs mission is to provide objective research to thesecurity community and all organizations concerned with their securitypractices.

SPI Dynamics uses direct research from SPI Labs to provide daily updates toWebInspect, the leading Web application security assessment software. SPILabs engineers comply with the standards proposed by the InternetEngineering Task Force (IETF) for responsible security vulnerabilitydisclosure. SPI Labs policies and procedures for disclosure are outlined on theSPI Dynamics web site at: http://www.spidynamics.com/spilabs.html .

About SPI DynamicsSPI Dynamics, the expert in web application security assessment, providessoftware and services to help enterprises protect against the loss ofconfidential data through the web application layer. The companys flagshipproduct line, WebInspect, assesses the security of an organizationsapplications and web services, the most vulnerable yet least secure ITinfrastructure component. Since its inception, SPI Dynamics has focused

exclusively on web application security. SPI Labs, the internal research groupof SPI Dynamics, is recognized as the industrys foremost authority in thisarea.


22
http://www.spidynamics.com/spilabs.htmlhttp://www.spidynamics.com/spilabs.html


25/26



Software developers, quality assurance professionals, corporate securityauditors and security practitioners use WebInspect products throughout theapplication lifecycle to identify security vulnerabilities that would otherwisego undetected by traditional measures. The security assurance provided byWebInspect helps Fortune 500 companies and organizations in regulatedindustries including financial services, health care and government protect their sensitive data and comply with legal mandates and regulationsregarding privacy and information security.

SPI Dynamics is privately held with headquarters in Atlanta, Georgia.

About the WebInspect Product LineThe WebInspect product line ensures the security of your entire network withintuitive, intelligent, and accurate processes that dynamically scan standardand proprietary web applications to identify known and unidentifiedapplication vulnerabilities. WebInspect products provide a new level ofprotection for your critical business information. With WebInspect products,you find and correct vulnerabilities at their source, before attackers canexploit them.

Whether you are an application developer, security auditor, QA professionalor security consultant, WebInspect provides the tools you need to ensure thesecurity of your web applications through a powerful combination of uniqueAdaptive-Agent technology and SPI Dynamics industry-leading andcontinuously updated vulnerability database, SecureBase. ThroughAdaptive-Agent technology, you can quickly and accurately assess thesecurity of your web content, regardless of your environment. WebInspect

enables users to perform security assessments for any web application,including these industry-leading application platforms:


23


26/26



Macromedia ColdFusion

Lotus Domino

Oracle Application Server

Macromedia JRun

BEA Weblogic

Jakarta Tomcat

About the AuthorDarrin Barrall is a researcher at large and special projects software developerwith the SPI Labs division of SPI Dynamics. He may be reached via e-mail [email protected] .

Contact Information

SPI Dynamics Telephone: (678) 781-4800115 Perimeter Center Place Fax: (678) 781-4850Suite 1100 Email: [email protected], GA 30346 Web: www.spidynamics.com

2005 SPI Dynamics, Inc. All Rights Reserved.
mailto:[email protected]:[email protected]

auto cookie analysis

Documents