Web Front end leverages HSTS (new Web security protocol HTTP Strict Transport Security) Vulnerability Super Cookie (HSTS Super cookie)

Source: Internet
Author: User
Tags http strict transport security subdomain

Web front End If you want to implement a cookie cross-site, cross-browser, clear browser cookie that cookie will not be deleted this seems a bit difficult, the following tutorial lets you completely get rid of Document.cookie

Supercookie.js:
Http://beta.tfxiq.com/superCookie.js

Demo

Http://beta.tfxiq.com/sc.html



such as PHP:

<? PHP Header (" strict-transport-security:max-age=31536000; Includesubdomains ");?

Includesubdomains is essential because the super cookie uses the many subdomains (super cookie prerequisites, preferably 32).


Demo-used subdomain: *-hsts-lab.radicalresearch.co.uk        1-
hsts-lab.radicalresearch.co.uk , 2- hsts-lab.radicalresearch.co.uk   etc, demo with 32 sub-domains   to 32 - hsts-lab.radicalresearch.co.uk , why use so many subdomains, the following will be discussed.

open start or close hsts
Subdomain settings hsts status header:

      https://13- Hsts-lab.radicalresearch.co.uk/hsts/set/1 

       Open the above URL in the browser, such as:

     

            

     There's a strict-transport-security head on it, max-age=31436000 Note that Max-age is not 0 at this point, indicating that HSTs is turned on

     then on
Https://13-hsts-lab.radicalresearch.co.uk/hsts/set/0

    

     At this point the max-age=0,hsts failure is turned off


     
     这个
13-hsts-lab.radicalresearch.co.uk子域名服务器返回的不同HSTS开启状态是根据url中 https://13-hsts-lab.radicalresearch.co.uk/hsts/set/0标红的0/1进行输出不同的状态头的: 0关1开
 
     服务器根据url判断HSTS输出哪种Strict-Transport-Security头
     如HSTS开启:
<?php header("Strict-Transport-Security: max-age=31536000; includeSubDomains");?>
      HSTS关闭: <?php header("Strict-Transport-Security: max-age=0; includeSubDomains");?>

     这里面还有个关键点是,开启和关闭HSTS必须要用
https协议,即在浏览器里打开的时候 https://13-hsts-lab.radicalresearch.co.uk/hsts/set/0,协议必须是https,这跟HSTS的特性有关。下面会有解释。


    
Super Cookie利用的关键点:      如果我们事先设置了第13个子域名的HSTS的状态开启了,并且在当前浏览器访问过该子域名、或者脚本动态加载过,如浏览器访问过
    
      https://13-hsts-lab.radicalresearch.co.uk/hsts/set/1
      http://13-hsts-lab.radicalresearch.co.uk/hsts/get


We will find that HTTP is automatically redirected by the browser tohttps: //13-hsts-lab.radicalresearch.co.uk/hsts/get 


It 's especially important here, and if that doesn't make sense, then the HSTs Super Cookie won't understand.


Conversely if https://13-hsts-lab.radicalresearch.co.uk/hsts/set/0 你设置HSTs off, you can then open the sub-domain by HTTP any resources, there will be no HTTPS jump.


We'll visit the next http://beta.tfxiq.com/sc.html, open the console under the network, will find a lot of jumps lost:



The reason for the loss of the jump here is because the sub-domain name HSTs server is turned on, because you previously accessed the domain name with HTTPS, and opened the HSTs, then all subsequent access will be forced to jump to HTTPS;

Jump missing response is also not any return, the code to take advantage of this.
Implementation principle :

Take http://beta.tfxiq.com/sc.html
.For example, the current Chrome client wants to save a71009647 of the cookie value,71009647 of the 36 binary is:169ze7 (page display value), binary00000100001110111000010101101111, the front 4 bits of black 0 is to make up all 32 bits.
Save Cookies:
by 12 binary value 00000100001110111000010101101111 order from left to right, the rightmost/0 or/1 of the URL corresponds to the 12 binary in order
Step 1: In https://1-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 2: In https://2-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 3: In https://3-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 4: In https://4-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 5: In https://5-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 6: In https://6-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 7: In https://7-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 8: In https://8-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 9: In https://9-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 10: In https://10-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 11: In https://11-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 12: In https://12-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 13: In https://13-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 14: In https://14-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 15: In https://15-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 16: In https://16-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 17: In https://17-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 18: In https://18-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 19: In https://19-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 20: In https://20-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 21: In https://21-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 22: In https://22-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 23: In https://23-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 24: In https://24-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 25: In https://25-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 26: In https://26-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 27: In https://27-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 28: In https://28-hsts-lab.radicalresearch.co.uk/hsts/set/0  Close current sub-domain HSTs
Step 29: In https://29-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 30: In https://30-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 31: In https://31-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs
Step 32: In https://32-hsts-lab.radicalresearch.co.uk/hsts/set/1  Turn on the current sub-domain HSTs

The above 32 steps, are based on the binary 00000100001110111000010101101111 from left to right order, set the hsts corresponding to the open state, 0: OFF, 1: Open

The URL to save the cookie must be the protocol is HTTPS, the reason mentioned above, and then again, because the HSTs protocol is turned on, and through HTTPS to load any resources under the sub-domain, when the HTTP access to any resources, will occur page jumps, Jumps to the URL corresponding to the HTTPS security protocol.

Of course the code in Beta.tfxiq.com/supercookie.js is to simulate the browser sub-domain opening and closing hsts by inserting a script in the head in the loop dynamically.


Read Cookies:
When the user accesses beta.tfxiq.com/sc.html again with the same browser,Protocol HTTP must be used (note that it is important to use HSTs's jump) to access 1-32 of different subdomains and pass a CB callback function

Step 1: In http://1-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘1‘](0)This domain hsts off, access jumps,Response no results,The value of the parameter in the CB callback function is 0, the browser network you see is to take the non-operation
Step 2: In http://2-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘2‘](0)On the same
Step 3: In http://3-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘3‘](0)On the same
Step 4: In http://4-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘4‘](0)On the same
Step 5: In http://5-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘5‘](0)On the same
Step 6: In http://6-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘6‘](1)This domain HSTs open, Access does not jump,response has data, the value of the parameter in the CB callback function is true
.
.
Wait a minute .
.
Step 32: In http://32-hsts-lab.radicalresearch.co.uk/hsts/get?cb=window[‘hsts‘]._[‘32‘](1)
This domain HSTs open, Access does not jump,response has data, the value of the parameter in the CB callback function is true

The above 32 steps are also loaded in supercookie.js through loops in the head script, We'll find that the binary that sets the cookie and the read cookie returns is consistent, are 00000100001110111000010101101111,00000100001110111000010101101111 and converted into 71009647, 71009647 converted to a page display 36 binary: 169ze7

uses 32 sites because it is equivalent to 32-bit binary and can identify 2 billion clients.
Disadvantages :

1. Every time you read a cookie, you need access to 32 subdomains. Load 32 script When accessing cookies, high overhead, slow reading of cookies


2, as a security vulnerability, the future major browser manufacturers are estimated to fix this bug

Advantages:

Cross-site, browser Close or clear cookies can not delete the HSTS Super cookie above the explanation is a bit verbose, concise is the use of HSTS loopholes, 32 sub-domains for the database (each subdomain represents 1 or 0, combined is a unique value), The data are deposited and read out. This is original, if you want to reprint please indicate the source, thanks @author Liu Minghai

Web Front end leverages HSTS (new Web security protocol HTTP Strict Transport Security) Vulnerability Super Cookie (HSTS Super cookie)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.