Internet Security Systems - AlertCon(TM)

Stealing Cookies with SSL Renegotiation

Posted by Tom Cross on November 12, 2009 at 9:23 AM EST.

In my previous blog post on the SSL Renegotiation vulnerability I mentioned that in addition to launching attacks that are equivelent to CSRF, the attacker could manipulate post variables (as well as other aspects of the request). I characterized these attacks as application specific and esoteric. Unfortunately, the situation is worse than I thought, as Anıl Kurmuş pointed out in a post to Full Disclosure.

If a web application allows users store or transmit arbitrary data from a post request to a location where the user can later retrieve it, an attacker can prefix the victim's entire HTTP request as a post, and then read it back out, gaining access to sensitive information in the process, such as cookies or other authentication credentials. In Mr. Kurmuş's example he uses this technique to post a victim's Twitter request to his own Twitter feed, gaining acccess to the victim's password.

Obviously, a great many web applications allow users to store or transmit arbitrary data. The most obvious examples are web mail applications - the attacker could essentially email himself a copy of the victim's cookie. Webmail credentials are a popular target on insecure wireless lans.

There may also be other interesting angles on this vulnerability that are discovered in the future, and of course, HTTPS is not the only protocol that uses SSL.

Fortunately a version of OpenSSL (0.9.8l) is available which disables renegotiation, which is appropriate for most applications. According to Mr. Kurmuş, Twitter seems to have already applied it. Have you?

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.