WAF development-Analysis of Cookie security protection function, wafcookie
I. Preface
The Cookie security protection function mainly achieves the following two goals:
1. Prevent XSS attacks from stealing user cookies
2. Prevent Cookie-based SQL injection, command injection, and other messy attacks
Advantages
1. Security (Please advise if you have any ideas to crack)
2. General
3. easy configuration
Disadvantages
1. Identify Based on IP addresses. In the case of the same Internet IP address, XSS can successfully steal cookies, so as not to prevent XSS attacks by acquaintances.
2. If the IP address changes after login, You need to log on again
II. Implementation
The implementation idea is to use AES to encrypt the key values in the Set-Cookie to ensure Cookie security, such:
Set-Cookie encryption process
First, obtain the initial Key of AES, and then determine whether to enable Client IP binding. If yes, the Key of AES is Key + ClientIP, and if not, it is Key, then, the Set-Cookie key value is encrypted through AES. During the encryption process, the expires, max-age, domain, and other reserved keys are ignored, and then the entire Set-Cookie is overwritten.
Cookie decryption process
First, obtain the initial Key of AES, and then determine whether to enable Client IP binding. If yes, the Key of AES is Key + ClientIP, and if not, it is Key, then, the key value of the Cookie is decrypted through AES. During the decryption process, whether the security mode is enabled is determined. If yes, the key value that cannot be decrypted will be discarded. If not, the key value will be retained, then rewrite the entire Cookie.
Enable Configuration
For example, there are four options:
The first option is whether to enable Cookie security protection. The default option is disabled;
The second is whether to enable Client IP binding, which is enabled by default;
After binding the Client IP address is enabled, when attackers steal user cookies through the XSS vulnerability, AES keys are different due to different IP addresses, and the client cannot be decrypted to log on to the system. Disabling Client IP binding will not prevent XSS attacks from stealing user cookies.
The third is the security mode selection;
The default mode is compatible. In compatible mode, if the parameter decryption fails, the key value is retained, that is, the key value that fails to be decrypted is transmitted to the backend server as is, for example, the session encrypted string obtained by XSS attacks will be directly transmitted to the backend, but the server cannot log on because it cannot detect the session key value. Security Mode discards all key values that cannot be decrypted. Selecting compatibility mode cannot prevent Cookie-based SQL injection and other attacks.
The fourth key is the key. The default value is false. After the key is enabled, click the button to generate a random 16-bit key.
Effect
Iii. Summary
The core of the Cookie security protection function is that data encryption and decryption are performed on WAF, and keys do not need to be stored on the front-end. Without keys, ciphertext cannot be considered to be cracked. After binding the Client IP address is enabled, the attacker can effectively prevent XSS attacks from stealing user cookies at the full site level. Even if the attacker obtains the ciphertext of the user session, it cannot be decrypted by WAF. After the security mode is enabled, the Cookie-based SQL injection, command injection, and other attacks are discarded because the WAF cannot be decrypted, thus protecting the security of the backend server. In general, this function can be used as a low-cost whole-site XSS attack mitigation solution.
For WAF, this function aims to ignore Cookie-related rule protection when developing protection rules in the future. At the same time, based on performance and risk considerations, you can also reduce the protection rules for XSS attacks or even prevent XSS attacks, thus reducing the maintenance difficulty of the Rule Set and WAF processing performance. XSS problems can be solved through front-end framework processing and other methods such as front-end parameter encryption and machine learning.
For existing websites, you can rewrite the Cookie-related code in the website architecture to implement the same function, which is not complicated.