In this Chats on the Road to Black Hat USA, hosts Sean and Marco discuss web security vulnerabilities with guests Pedro Adão and Marco Squarcina, exploring challenges, solutions, and the responsibility of the development community.
Guests:
Pedro Adão, Associate Professor, Instituto Superior Técnico, Universidade de Lisboa [@istecnico
On Linkedin | https://www.linkedin.com/in/pedro-ad%C3%A3o-b5b792/?
Marco Squarcina, Senior Scientist, TU Wien [@tu_wien]
On Linkedin | https://www.linkedin.com/in/squarcina/?originalSubdomain=at
Website | https://minimalblue.com/
____________________________
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast and Audio Signals Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Island.io | https://itspm.ag/island-io-6b5ffd
____________________________
Episode Notes
In this Chats on the Road to Black Hat USA, hosts Sean and Marco are joined by guests Pedro and Marco to explore the vulnerabilities and challenges of web security. The conversation begins with an explanation of the Double Submit and Synchronized Token patterns used to protect against CSRF (cross site request forgery) attacks. They discuss the limitations of these patterns, particularly when it comes to the integrity of cookies.
The guests highlight the potential for attackers to modify cookies and the need for better solutions. The conversation then unpacks the complexities of web security, including the difficulties of maintaining backward compatibility and the challenges of multiple components and parties involved in web development, delivery, and operations. They address the importance of revising the security of subdomains and implementing security mechanisms like HSTS (HTTP strict transport security) with the inclusive domain directive.
The conversation also raises philosophical questions about the responsibility of companies and the development community in addressing web security, as well as the role of legislation in this space. The group emphasizes the need for better platforms and frameworks that prioritize security from the start.
The conversation concludes with a discussion on the importance of ongoing research, reporting vulnerabilities to developers, and finding solutions to improve the overall security of web applications. Listeners can expect to gain a deeper understanding of web security challenges and the ongoing efforts to address vulnerabilities and improve the security of the internet ahead of Pedro's and Marco's research presentation at Black Hat USA 2023.
Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa
____
Resources
Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities: https://blackhat.com/us-23/briefings/schedule/#cookie-crumbles-unveiling-web-session-integrity-vulnerabilities-32551
For more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:
👉 https://itspm.ag/bhusa23tsp
Want to connect you brand to our Black Hat coverage and also tell your company story? Explore the sponsorship bundle here:
👉 https://itspm.ag/bhusa23bndl
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Sean Martin: Marco,
Marco Ciappelli: Sean,
Sean Martin: you're always waiting. Milk. Milk or milk or no milk.
Marco Ciappelli: I knew you were gonna go with . We're eating Oreos.
Sean Martin: We're eating Oreos and chocolate chip and oatmeal raisin. And I don't know, do you, do you dip in
Marco Ciappelli: How? How? How about some Cantuccini with Vin Santo? How about that? Let's make it Italian.
Let's make, they're still cookies. So that's what we're talking about today.
Sean Martin: That's right. They all shapes and sizes, uh, different, uh, Different pleasures from eating different, different cookies. Um, I don't know what, what analogy we can pull from that. But, uh, I don't know if you have a rotten cookie. But, uh, let's just say cookies drive the web these days.
And I'm not going to pretend to, uh, to describe all the things that they do and why they're important and what risk they bring to the business. That's why we have Pedro and Marco to talk about this topic with us. So, uh. Cookies and the internet and compromises and they've done some research They're presenting that research at black hat and I'm thrilled to have them on as part of our chats on the road as they join Us from San Diego evidently.
So Pedro Marco. Thanks for thanks for being on.
Pedro Adão: Thank you. Thank you for the invitation
Marco Ciappelli: Absolutely. And we were joking even before we started recording about the fact that you are literally going to be on the road. You are already on the road from Europe to San Diego in California. And then you're gonna go to to Black Hat and the all other things that happen in Las Vegas during Hacker Summer Camp.
And so you're kind of like taking our hint of chats. On the road. And we are excited. We're excited to learn about what you're going to be talking about there. And actually, I think Sean was curious about what are you doing in San Diego to start with?
Sean Martin: Let's start there. And then and then we'll hear.
Pedro Adão: This year, uh, this week we are here for the International Cyber Security Challenge, or the, um, International Cyber Games, uh, that are happening this year.
It's the second time that they happen. Last year they happened in Athens, and the goal is to gather young talents from different regions around the world, and they compete in a security competition in the CTF. for today. So today is the, uh, preparation day and the competitions is, uh, are tomorrow and, uh, and Thursday and then Friday, the award.
So we are really on our way to Vegas at some point on Saturday, we start our,
Marco Squarcina: you're the coach of team Europe, right? Yeah. Yeah.
Pedro Adão: I'm one of the coaches from team Europe and Marco is one of the jury members. Um, so we. We are really on the way to Vegas
Sean Martin: to hack some folks and hack each other and be judged in doing so.
Marco Ciappelli: And I'm definitely going to be like, go team Europe. I'm with you guys.
Pedro Adão: Let's see, we'll do our best, as all the others.
Marco Ciappelli: Of course.
Marco Squarcina: I'm not supposed to root for anyone, because I'm a member of the jury. So, you know, it's okay.
Sean Martin: Don't say anything you regret, Marco. Um, I will say that, uh... We love what, uh, Jessica Gulick does with that, uh, that program.
It's really cool. Uh, we, we actually covered the event last year in Athens remotely. And, and, uh, I mean, it's perfect for what we need these days to help understand how businesses can be compromised, how they can be attacked, how you protect them and bring teams together to, to simulate that and, and help, help the next generation learn, learn new things.
And speaking of learning new things, you're going to present. Black Hat, and we're gonna get into that topic, but first I want to know who Pedro and Marco are. We don't, we know you're in San Diego, but we don't know who you are, uh, outside of San Diego, uh, in Europe. So Pedro, you're up.
Pedro Adão: Okay, so my name is Pedro.
I'm an associate professor in the University of Lisbon. And, uh, I had, I play CTFs. In fact, I'm a hacker by accident. And this folk is one of the, uh, responsible for doing this. So basically I started playing CTFs when I was working with, um, Ricardo Focardi that, uh, was a Marco supervisor. And then I just got in love with, uh, with CTFs and what was.
Previously, a mathematician just became a computer scientist with interest in hacking and all this and teaching new generations. And, yeah, and the work we are going to talk about today was something that was born while I, while I did my sabbatical last year in, uh, in Tuvin, uh, where Marco is now.
Marco Squarcina: Yeah. So hi, I'm Marcus Corcina.
I'm Italian, come from Venice, the actual island. Uh, but I'm a senior scientist at TUV now in Vienna. So it's just like a nice move, like from, from Venice to Vienna. I can't really complain. It's like two beautiful cities, to be honest. Um, yeah, so I started playing CTS. So I'm like in this kind of like field starting from like 2009.
Um, I'm the proud creator of the name for the Italian team, Maccheroni. That's like my creation. That's like something I'm super proud of. Uh, yeah. And I like to do knowledge transfer and passion transfer, like, uh, you know, uh, pushing forward to the next generation. So try and like to help them finding what they like is just like my passion.
That's why probably we're in academia, right. And we didn't move to the private sector. So yeah, in terms of research, I mainly do web security. That's my, my focus. I did a bit of everything in the past, but yeah, now mobile and web insecurity are my things.
Sean Martin: I love it, and I mean, let's be honest, the work that you're doing, the research, it's one thing to Do that research, maybe even write about it, document it, but to actually take time to put a presentation together and connect with the community to, I presume, not just share your findings, but also talk about some of the processes that you, that you went through to, to do that work, um, kind of teach the teacher, right?
Uh, that Marco and I often talk about. Um, yeah. So in the spirit of teaching, uh, folks, let's not dive too deep straight away into what you're talking about in terms of the findings. Uh, let's kind of paint a broad stroke for folks who might not be familiar with cookies and their role in. Accessing the internet and websites and taking actions through these services.
Um, and then we can get into how they can be abused perhaps. So who wants to paint a picture of what cookies are and their role in, in uh,
Pedro Adão: Our life, right? So let me just start to say that, in fact, one of the things that we are putting the presentation for black hat is really, we got putting the thought process that was in all these research. So the, the, the, the presentation is really how the research happened. And that's really, really cool.
Marco Squarcina: Like this is, this is also like a quite different from the paper, because like the paper is a formal publication in which you go like through the background, like, and you present things formally, right? But the presentation is more about the story, the story that like we went through, like to do this research.
So it doesn't really follow the structure of the white paper that we will attach to our presentation. But yeah, I think, I think it's going to be like more engaging this way. Um, okay. Let's talk about cookies. Um, so, you know, like the web runs, uh, because of the HTTP protocol. And we like to say that the HTTP protocol is stateless.
There's like no way like to preserve some state between one request and another. How do you maintain state, uh, with cookies and cookies are like this little piece of like information that is attached between like one request and another. So like a cookie can represent your username on a website or can, uh, it can be an identifier that represents the content of your basket on an eShop.
Okay, so you can navigate it through the website and then you maintain like your, your basket. And the basket does not like disappear after you click on few links here and there. So this is like what cookies are used for, and they're mainly used for authentication. So whenever you have a, a username on a website and you log in by submitting your username and the password, then you receive a cookie.
That, uh, means that you are authenticated on that website and you have an identity on that website. And by. Keeping on like sending this cookie over and over at each single request that you maintain like your authenticated state with that site. So that's like the picture about cookies. What are they? And of course, like a fundamental piece of fundamental like component of the web architecture, because that's still like the main way to maintain state.
Marco Ciappelli: And that's a good story because people can understand how, okay, you know, that if I do the things that I do online, it's because of that. If it makes my life much easier. It's like having a, I don't know, a badge in the backstage of a concert allows you access. They know who you are and all of that. But then.
There's the bad guys and, and things didn't go wrong. So let's go, let's go there.
Marco Squarcina: The bad guys are also like the companies. I mean, cookies have been abused for, for ages to track people online. Right. Uh, and this is like a problem of the so called like a third party cookies. And they had been abused, like to track, uh, the, the navigation of, uh, of a user across like multiple websites.
And then understand, like, the cross site profile of this user, which is, like, best for privacy. But here we are talking more about, like, security, not just about privacy, right?
Pedro Adão: Yeah, so here what we wanted to show, and as Marcos said, so the cookies are the fundamental identifier in the web. So making sure that the integrity of the cookie is preserved and that no one can somehow mess up with the cookies.
Identified we have or with the content we have, that's fundamental to preserve the integrity of the Internet and integrity of the communication. So our work is basically goes into how can cookies be messed up? Um, so that non intended behaviors then become possible. So that's kind of the line that connects our whole story.
Marco Squarcina: So you're saying that cookies have weak integrity, right? Uh,
Pedro Adão: yeah, that's exactly that. The problem is the weak integrity of the cookies. And, um, how can we, um, how can a malicious adversary abuse it?
Sean Martin: Yeah, I think I love the word integrity. It's one. It's one of the attributes of cyber that I think we often miss out on.
Right. So let's talk about what what needs to have its integrity maintained. So clearly, The, what represents that session or that person in that, doing that transaction, the identity of that, right, is, it's important that it has integrity. What about, are there other things in the cookie, are there chocolate chips in there that says, This is how, this is how somebody behaves.
They, they typically look at things that are yellow over blue or, or they, they shop at this site over this other one. What, what's, what's in there that, uh, needs to have, well, what's in it. And I guess what can be done with it. Those two things where integrity is important.
Marco Squarcina: Um, so like cookies are used like for.
Multiple things. So we said like to maintain like your identity on a website, but also to to to bring like some protections on the web against a certain classes of attacks. And one of these classes of attacks is called cross site request forgery. All right, uh, this is like the typical instance of the confused deputy problem, meaning that, uh, let's say that you have an account on bank.
com, all right, uh, where you usually do, like, your financial transactions and there is an attacker that, like, brings you to visit, uh, another website that is like, uh, evil. com, all right? And then, like, from evil. com, uh, the attacker can, uh, can perform through your browser. A request. Towards bank. com, uh, doing a financial transaction to other people whom you don't know, and like, you lose money, like, in this way.
How does it work? It works because the cookie is still attached to this cross origin request, okay? And because the cookie is attached, like, to this cross origin request, then, like, it is, uh... A tech called CSRF or CSRF for someone else takes place and is successful. So how do you prevent this, this vulnerability to take place?
You have different ways. Nowadays, like the, the to go solution is to use like same site cookies. Same side cookies are great because they restrict the navigation within the same site. So like a connection from evil. com to bank. com will not attach the cookies. And so like the attack cannot work anymore, which is great.
Okay, the problem is when you have the attacker in the same site of bank. com, which sounds like a pretty... extreme, but in practice this is really not the case and it's like a very common scenario. So if the attacker controls, let's say like a subdomain of bank. com, I don't know, like yeah, sounds great. Hr.
bank. com. Uh, then like, uh, what can happen is that the integrity of cookies. Uh, and not just integrity, uh, but also like cookies are attached automatically to all the requests that are like a flowing, uh, in the context of the same site, no matter what is the attribute, uh, the value or the same site, uh, uh, parameter for cookies.
So this is like the thing. Um, one of the, uh, standard protections against the CSRF is called like a alternate is called like double submit. And basically the idea is like very simple. You, you send a secret together with a value in, uh, in your cookie. And if this secret is sent to the website, and this value matches the value of your cookie.
Uh, then like, uh, the request is processed by the server and then, uh, it's considered to be okay ish. Uh, the problem is that like, uh, in the context of the same site, the attacker can mess with the integrity of the cookie, can modify it, and then this protection collapses. This is a known problem. Uh, it's not like something that, like, we discover, like, uh, in this, in this research.
This is like something known, like, for ages already. We brought like this text further.
Pedro Adão: Yeah, so the thing is that as another alternative that was secure against the Subdomain Controlling the subdomain there was another protection That is called the synchronizer token pattern who's who that was Uh, the purpose of solving this issue.
Uh, and basically what we found out is that, um, using the synchronized synchronizer token pattern from a sub domain, uh, we can also exploit it in case when there are some flaws in the logic of the validation and of the management of the, um, of the tokens. And so basically, our research is is about that is how can so we present the solution that was known to be vulnerable.
But then how can you take the one that is supposed to be secure? And how can you take that and show that that one, in some cases, it's also insecure.
Marco Ciappelli: What I want to do is see cookies right now. That's right. I'm kind of scared because I don't know what I put in there. If it's the real cookie or another cookie.
Um, alright, what I would like to do here and I don't want you guys to give up everything that you're going to present. I think you already gave a pretty nice picture, although I'm sure Sean may have some technical question after me, but I'd like to make a connection with the fact that you said that It's a known problem, and we already know for a long time that there is some vulnerability, there is a way to, uh, to use it in a nefarious way.
And I'm wondering, even if the Internet itself was born on trust, we never even thought about security was going to be a problem. And we were all living in this la la land of, you know, like L. A. here. Um, why are things not? Moving so fast and who is really controlling this? Because I can see that the companies, the bad companies or the one that can make a lot of money by exchanging this privacy information, they wanted to keep it maybe this way and maybe don't care so much about the inherent.
In here and risk of people abusing it. But at the same time, I mean, we're talking about risk for financial health data and all of that. So my point is, where are we as a community, but also as a business community, not just the info sec community addressing this? Even from a legislation perspective, I mean, you guys come from Europe.
I know we do things a little bit different between the U. S. and Europe, so an overview maybe on the effect of this on our society and the way we do business.
Pedro Adão: Yes, I think that basically the developers are not making these mistakes by, uh, in purpose. So I think that, uh, honestly, a very great experience, uh, reporting these vulnerabilities to developers and coming up with solutions that would make the, uh, systems better.
And I think that it was a great positive on, on the, on the, on our research, but the problem Most of the problems we found, they derive from the fact that there are many technologies, many components in the web, that they are very well thought and very well tested in isolation. And when you start putting them together, then there is this corner case that does not match the corner case of the other case.
And so basically then there is this mesh of technologies, and that's where the, that's probably the root cause of the vulnerabilities we found. So we found. Issues that basically browsers and servers don't do the thing, don't think about the same object the same way or two different libraries that don't think about the same object the same way.
And so this, this interaction and we are always building up and putting new technologies and interacting new, putting new pieces in the puzzle. And so most of the vulnerabilities derived from that. Uh, I think that's kind of one of the takeovers of the. of our research is that when you develop a mechanism, when you develop a standard for the web, all browsers will implement that.
But there are other pieces in the game and basically all that has to be thought well. And in fact, Marco...
Marco Squarcina: Security is hard. I mean, that's the thing. And it doesn't involve like a single component in isolation, but it must like involve everything that is used like in the web platform. As Pedro said, like servers, clients, standards, middlewares, uh, and everyone must, uh, have a common understanding, must have like an agreement on how the technology like must be implemented, must be used.
Whenever there is a disagreement for like a multiple, uh, range of reasons, then problems can arise. Um, that's like one thing. The other thing is uh, maintaining like a backward compatibility that is something that is cursing the web like since its creation. The web like was not just born without security but it was like born for a completely different purpose.
It was like a content distribution platform, right? Uh, this is like in 93. Now, like, the web is what? Like, it's an application distribution platform. Or, like, it's like that place where everyone can run code on your machine. Because, like, websites are applications, like full fledged applications. Now we have even binaries running in the browser, like, using WebAssembly.
So, it's a crazy place. It is, like, difficult, like, to keep secure because, like, there's multiple moving parts. All together, all at the same time, developed by multiple parties. Um, yeah,
Marco Ciappelli: I think we should pause the internet. Like AI . Just agree. Let's write a letter. We just pause it for like a few days. ,
Sean Martin: let's have a rewritten
Marco Squarcina: while it's Yeah.
You, you, you really, you really can't right? Reboot every, every time. Like you try, like to change something. Uh, you make like someone, uh, unhappy. A very funny, funny case, like in my opinion, like when Chrome, like some time ago, like pretty recently decided like to disable, like here, well, so decided like to disable the pop up messages, like the alert message from a cross site iFrame, which is something like should never happen in the real world.
Uh, but a lot of developers, uh, became angry at Chrome because like, oh, that you change like this behavior, but like that behavior is crazy. Like it's super insecure. Um, so yeah, it's really difficult like to fix the web because you, you must like fix it. In a way that preserves backward compatibility, but the problem is that backward compatibility.
So you must like ensure functionalities and security at the same time. And we know that like these two things are pushing in different directions.
Sean Martin: So tell me, I like to get into ops stuff a bit here. So let's assume that the consumers have very little. to protect themselves with, in these cases. So it's really, it's really on to the developers and the ops and then the business teams building the stuff to kind of get it right on their behalf.
Um, so with that assumption in mind, who. Who, I'm not talking, uh, policy makers or, or grand, uh, research organizations, but who, who within a company, let's say, which teams within a company should be looking at this and given your points on how complex things are, um, picking up a new, new open source library can change something, uh, Chromium update could change something and extension could change something.
Your app code could change something. How does it, How does a company get a handle on this and who, who kind of leads that charge in your?
Marco Squarcina: I think I can answer this. Like, this is a very good and difficult question. Um, but I have an idea how to solve that. So it's impossible for a company to keep track of everything.
Like, uh, I'm a, I'm a researcher. I like web security. For many years. And even for me, it's absolutely impossible to keep track of all the changes in the web platform. So if it is impossible for me, it's also impossible for like a company, unless like the company is Google, but like, it's like very, very difficult.
It's a hard job. So the thing that like it should do, it should do like in any case, you take the threat model and you try to minimize the risk. So you try to minimize like the factors that could be used by attackers to exploit, uh, your company. In this case, what shall you, like, shall a company do like to try, like to revise the security of the subdomains, uh, to, to eliminate like subdomains, so like a root causes for like subdomain, take cover for example, and prevent, uh, network attackers to mess with your company.
Uh, and in this case, like there is this security header that is called H S T Ss. Uh, if it is deployed with a specific directive called, uh, includes a domain, then you can, uh, let's say sleep better. Uh, and I wouldn't say like forget about network attacks, but yeah, it's a good thing to have. Um, and still like 90% of websites out there do not implement this security mechanism with this directive.
For what concerns like subdomain takeover and like problems of the confinement within the same site. We had a paper like two years ago, so like we, we formally like faced the problem. We also did like some measurement. We managed like to exploit more than 1, 500 subdomains of high profile websites, like Lenovo, CNN, um, many other like top profile websites.
So it's a. It's a problem that is still out there, the solution is simple, but you need like to revise the security of your DNS records every week. Otherwise you expose yourself to attackers that could abuse your subdomains. Take over your application, like your relevant applications in the, um, uh, in the domain of your, your website.
Pedro Adão: And another contribution of our work, uh, is that we also, uh, address the, the web development framework. So, basically, we also think that probably we should not put the security on the... shoulders of the programmer, but rather provide him, um, with a better, um, better platforms to develop their codes, more secure platforms so that a problem can be solved upstream and not for just for that particular developer, but be solved for all the developers.
That's one of the other contributions that we
Marco Squarcina: contacted. You're talking about like security by default, right? Yes. Uh, but security by default is not always possible. Because then like, uh, you, you affect the compatibility and functionality. It's always like the same problem, like, uh, you have the, the blanket that is like, it's like pretty short and if you start like pulling from one side or another, then like, uh, something will be, yeah, uncovered.
Sean Martin: Some, some limb is exposed at some point. Hopefully it's the hand with the cookie so I can eat it. So I'll stop making jokes about cookies and, uh, I'll, I'll note, I have to say it though. The Cookie Crumbles Unveiling Web Session, Integrity Vulnerabilities, that's the name of your session. It's on Wednesday, August 9th, 2.
30 in Islander FG. Uh, 30 solid minutes of unpacking and hearing a story of CSRF and CORF. Um, it's going to be a great session, no question about it. And I'm thrilled you guys came on to give us some insights into this. To help tease it out and hopefully a bunch of folks join you and learn more about this.
Thank you very much.
Pedro Adão: Thank you for having us. It will be a really a presentation on how the research was done and we'll share as much as we can from the experience because that I think it's also I'm
Marco Squarcina: pretty sure I'm pretty sure that like, uh, Attendance will find something quite unexpected, you know, like it's just shocking for us.
So it's going to be shocking also for people attending the session.
Marco Ciappelli: So I want to thank you so much. I want to wish you a good trip to Vegas. We'll publish this as soon as possible. And, uh, for everybody else, we will be keep covering. We have the all week full of, uh, conversation with people that are presenting to Black Hat and, uh, not only Black Hat, there's the entire, the entire Hacker Summer Camp going around in Las Vegas anyway, so stay tuned everybody and, uh, subscribe, share and, uh, keep eating cookies.
But check the expiration date, maybe.
Sean Martin: Thanks guys.
Marco Squarcina: Thank you. Thank you. Bye.
Marco Ciappelli: Bye bye.