8. The Means of Cybersecurity: Access Control 201 webpage requests for authentication cookies so they can “remember” users and serve them the appropriate webpages. In this way, web servers put the onus of maintaining state onto web browsers. The cookie acts exactly like a username and password. Figure 8.4 Authentication cookies stored in a web browser for a website. Authentication cookies are a kind of “something you have” token similar to passcodes used in text-message based authentication. Like passcodes, they are randomly generated so they cannot be guessed and are sent to users by the authentication server. They also have an expiration date, but not necessarily as short as one-time passcodes. Most banking websites expire authentication tokens after only a few minutes, but many websites, like webmail sites, set much longer-term expiration periods. Authentication cookies, like passwords, are sent from web browsers to web servers over an end-to-end encrypted channel to prevent eavesdropping attacks. However, they still pose a security vulnerability similar to other “something you have” tokens. A cookie stealing attack is when a hacker copies a user’s cookies, enabling the hacker to be authenticated as the user. For example, if Mallory steals Bob’s Amazon cookies, then when Mallory visits Amazon’s website, her browser will send Bob’s cookies, and Amazon will think that Mallory is Bob! This will allow Mallory to see Bob’s shopping cart and account information. Mallory does not need to know Bob’s password in order for this attack to work—she skips the login page and is authenticated as Bob on the basis of sending his cookies. This type of attack requires the hacker to have access to the cookies on the target’s machine. This could be accomplished through obtaining physical access to the target’s computer through an evil maid attack or by installing malware on the target machine and copying the cookies over the network. However, even if an attacker obtains valid cookies, the attack still may be thwarted because the web server may recognize that the request is coming from an unusual IP address or web browser—a protection against cookie stealing attacks employed by some web servers. Also, to continue the Amazon example, if Mallory were to attempt to do something sensitive, like make a purchase or change Bob’s password, Amazon may prompt her to login just to be sure that the user really is Bob. This is another defense web servers employ against cookie stealing and other types of unauthorized access attacks. It poses a minor inconvenience for users since they have to login again, but it limits the amount of damage that an attacker can do.
RkJQdWJsaXNoZXIy MTM4ODY=