Cookie Stealing - Computerphile
HTML-код
- Опубликовано: 31 май 2016
- Cookie Monster isn't the only one fond of cookies - thieves on the Internet are partial too. Dr Mike Pound demonstrates & explains the art of cookie stealing.
Follow the Cookie Trail: • Follow the Cookie Trai...
Cracking Websites with Cross Site Scripting: • Cracking Websites with...
Space Carving: • Space Carving - Comput...
Deep Learning: • Deep Learning - Comput...
Secure Web Browsing: • Secure Web Browsing - ...
Anti Counterfeiting & Conductive Inks: • Anti-Counterfeiting & ...
Object Oriented Programming: • Pong & Object Oriented...
Security of Data on Disk: • Security of Data on Di...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
![Gunna - whatsapp (wassam) [Official Video]](http://i.ytimg.com/vi/bY1kLt4iz94/mqdefault.jpg)
This guy has forgotten more about computers than I'll ever learn
Ppppppppp
@@antoniajovita2676 true story!
soo true rn
Im the 666th like wtf
Nothing
Shouldn't this video be called "Biscuit Nicking"?
What about Jaffa cakes?
Those are cakes. Nothing to do with anything mentioned here.
Exactly my point,
That would make sense.
Biccy pinching for Aussies.
I hate you guys. I have stuff to do, it's almost midnight and I keep on watching your so very interesting videos.
Try 3am
Isaac Cool try Saturday
Saaame
U just reminded me i have to work.
This..
Dr. Pound is really good. I want more videos from him.
This guy and Tom Scott are my 2 favorite people on Computerphile. I just wish Tom still made videos on here.
When I explain session ID's to other people (who usually couldn't care less), I always explain it like this; There are "blind guards" to "doors" in a webpage. At the front of the website there's someone who asks for your secret password, you tell them the password and they give you a special badge with Braille on it. You walk into the website and when you feel like going to another "room" (page)...you walk up to the guard and they grope you and say "oh well...you MUST be that person or they wouldn't have let you in, so I'll show you the stuff that only you are suppose to see"......the problem is when someone else makes a copy of that badge...the guards can't tell the difference. Then I go on about cross-site scripting until they go cross-eyed and then I install the NoScript browser extension for them cause they said "I don't care "how" it works...just make it so they can't do it.
That’s a nice example!
11:37 It might be worth emphasising here that the reason this works is because the script specifically read the contents of the cookie and included it in the URL parameters for the image. Normally the browser will not send cookies intended for one site to a completely different one.
I agree, also worth mentioning little bit about CORS while he's at it.
Thanks, I was confused about why this would be happening
Computerphile drinking game. Take a shot every time he tugs on his sweater.
Yes looks like it’s a tick.
@richard vicente Take a drink every time he ends a sentence or clause with "okay?"
I love these videos that you and Tom Scott do here on Computerphile with ways people can and do hack websites while providing LEGAL examples. I would really like it if you and Tom Scott do more of these.
If I knew of this channel earlier my web projects would've benefited from it so much!
Might also be worth mentioning the HttpOnly flag for cookies here. I mean, obviously if you're vulnerable to XSS that's a serious problem regardless of what other security measures you've taken to protect users, but at least with HttpOnly set the JavaScript won't be able to steal cookies.
Upvote for that blog alone.
r/wrongplatform
r/ihavereddit
I'm so out of the loop. I didn't even realise this was possible in this way.
please tell me you're not making websites for banks or shopping sites :-D
I just resigned after watching this video.
Since I have resigned, the sites are not fixed.
:P
+bunnybreaker
You just need to escape all user input values before you print them to the view. That's it. That way it just comes out as text of the code. Just make sure you always do it at the view layer and never close to the DB or controller.
+knucklesamidge
Absolutely correct. I made another comment about this mistake that was mentioned in the video. People aren't getting it.
Just to clarify, I was joking in my follow up comment. I haven't made websites in years. I'm more disappointed in myself for not knowing about this from an end user perspective, rather than as a web dev.
For anyone thinking about pinning an IP address to a cookie, don't. Not only does it change if you move to new wifi network, it changes if you move between wifi and mobile, if you move between cell towers, if you're on public transport which offers free wifi and some ISPs even use a different IP address for every request (albeit usually South East Asian dial up connections). I've had people complain that they couldn't log in to a website before because their IP address changed between submitting a login form and getting the response back.
Also, if you really want to secure yourself from SQL injection you should use prepared statements, ideally with stored procedures, and never adjust the base query at all. Escaping is not generally good enough to stop more advanced attacks.
alert("Just testing... :P")
*RUclips is Smarter Than That*
Agent M Of course, google just throw loads of money at it so obviously...
*
+OfficialPirateFraser
It's pretty fkin simple to get around it. You escape it just like you do with database statements.
AFAIK you can just replace < with < and > with >
That's it, no html tags could get through this...
I steal my grandma's cookies all the time.
Much easier than the way you do it.
I just reach into the jar.
ok kim
But you are Kim Jong Un!
@@BharCode09 He stores his cookies in his nukes.
I thought that jar was a .jar java file for a second...
@@suola-sirotin when you're big brain and can't understand the joke at first glance
Don't get ghostery... It's owned by ad targeting companies.
Get Privacy Badger, it's made by the EFF and stops tracking of 3rd party cookies.
its a browser extension. If you click on 'Why Ghostery' then 'for consumers' you should get to the download pages.
I'd actually suggest uMatrix - it's by the same person as uBlock Origin and allows complete control of all requests made by your browser.
ABP, block any and all ad and tracking sites at 2ndLD-level.
If it works, it doesn't matter who made it.
4:02 "Your blog is bad, and you should feel bad." Futurama reference.
Fantastic video!! I already knew all this stuff but still very enjoyable to watch. More web dev stuff please!
Thank you for always providing clear content Mike
You guys should do a series on stuff like this and how to try and prevent it. Since not too many people realise stuff like this especially when they begin coding - even Twitter has this happen not that long ago. I see how you show how it’s done, but you didn’t show how to prevent it ( an easy way that I use, is replace all angle brackets with the HTML code for it - it’s an ampersand and some text - now it won’t be valid HTML ). Heck, maybe even videos on how to secure your server itself.
Looked up ghostery as soon as you mentioned it and installed it to both browsers I use. Thanks!
Good job as always, Mike.
Mike Pound is my favorite Computerphile host
I love MIke Pound's videos!
I actually heard a story of the valve steamworks not being protected against XSS which would allow a rogue developer to put HTML tags in the description of their app description and steal the cookies of any valve administrator visiting the info of his app.
dicription of their app description. :/
Great explanation about this issue. Thank you very much.
It would be awesome if you could provide your test website codes so one could try out for themselves and follow along
Thanks for the awesome content
very nice videos, computerphile, keep the good job
so over my head, but nice to have an inkling of what it means!
There are lots of complicated and simple methods that you can implement between IP locking the cookie and nothing. Been a while since I had to develop a web app, but a common technique I would use would be that every time a request is made a new session ID (or a secondary ID) is generated and the last one is invalidated. This will mean your session ID keeps changing, reducing the size of each attack window and if your cookie is stolen and used when you next request with the cookie the attacker has invalidated, it can invalidated both sessions and notify the end user/server administrator that there has been a potential security breech. It doesn't stop the attacks completely but its a nice technique to make it harder and notify a user of the issue.
Until the user opens multiple tabs…
You don't need to break the web in order to keep your users safe from XSS, just escape all the user-generated HTML and you're done!
Felds Liscia If I am not mistaken, cookies are per computer, not per tab, do some page load on one and when you do to do one on another it should send the cookie as updated in the first tab. Not sure if it can be broken with close concurrency though (i.e request one page and then another before the browser has handled the response to the first).
I probably wouldn't implement anything this strict except in an administration backend but this protects from more than XSS. Obviously you should always escape inputs no matter what and that is the minimum level of protection required because XSS can do more than just cookie hijacking.
god bless this man. what a legend
Very interesting and eye-opening videos, pedagogically told. Simply great.
Great video and explanation. However, it would be nice to have a section on how to protect yourself from XSS.
you should do a video on Content Security Policy (CSP) and show how it can be used to protect against these types of attacks when having to use 3rd party applications which you may have little control of how they did their security.
That's still vulnerable to sql injection, because you used mysql_real_escape_string, instead of mysqli_real_escape_string. The i stands for "improved", so obviously that's the one we should use. The other one has some subtle bugs, mainly character encoding ones.
This takes me back to redirecting quest books.
0:49
Requests
1:50
Cookies
2:42
Stealing
3:30
XSS
ive nearly had my cookies stolen twice(or more) on discord! it was some kind of script that ran when you joined a server...and its quite clever
Really amazin
So well described
So exciting
Thank you
As far I am aware, if an attacker will gain the session ID he won't be able to use it again because it was already used by the original user.
One thing that would be nice in these videos, imo, would be simplest ways in few words, how to defend yourself from most known exploits for new Web developers, uni students etc
Excellent breakdown.
"I get back an image and I think nothing's gone wrong but they've now got my cookies" scariest words.
Who is this guy? He is the coolest one to tell about computers at this channel, the videos about computer vision are totally amazing and this one was great too despite I've known all the information long before I've seen it. But if I need to tell someone what "XSS" is, I will definitely give the link to this video
I remember when Facebook didn't require https for their mobile site. Soo many users details were visible in my school when I fired up FaceNiff or Firesheep. (ARP poisoning, traffic sniffing, cleartext cookies)
+pm79080 bu that's effort. I don't like doing effort.
+pm79080 that's even more effort. You just can't match with my laziness
+pm79080 what do you mean? Google returned nothing
"It bags my cookie" sounds like British sexual innuendo.
Lots of PHP frameworks will now change your session ID on each request (while keeping the data associated to the new ID), this prevents these types of attacks as the ID that gets stolen is immediately invalid
You are a crafty man thanks for the lesson..........
This video seems like it might transition into a video about CSRF pretty well.
Reauth when performing important tasks is one method of hardening security. Another might be to challenge again if geoip logs detect impossible travel (i.e. it suddenly looks like you're on the other side of the world or, at least, a completely different Autonomous System).
Excellent !!!!! Ty for such an excellent videos
BRUH this guy really knows his stuff wow.........makes me wanna drop electrical and pick up programming/coding
Is it possible to use a similar concept to hijack someone else's toolbars/browser add-ons? I've heard of manipulating or tricking a user's browser to open a blank toolbar. This toolbar runs a script that allows you to access the user's local drives/files. Though I'm not sure it's seemless (not a true remote session). It seems strange that it would be possible but I can confirm I've seen it happen.
the interviewer really sounds like the guy from sonicstate. I always thought Brady was doing the interviews...
Even a "myimage.jpg" can perfectly be a php file (or any other scripting language, fwiw). The "file extension" concept have no place in HTTP protocol, so the browser doesn't actually know if "image.jpg" is an image or anything else named like that (including a folder). It doesn't even have to exist on the server, as you have multiple configuration options for your routing and rewriting of the request paths once the request hits the server.
Trading a browser cookie for a photo of the Cookie Monster? Seems like a fair trade to me! 🤣
Can you get this guy to explain software models, functions, attributes … I understand so many things for the first time when he is explaining it.
This would be good to go through if your going to take your Comptia Security + test
"It's all very positive. Oh, well, nearly." My words exactly when I get 25% on a assignment.
oh man why do so many good videos come out after midnight
An alternative to XSS and often used in Spam emails, is Clickjacking. Look it up if you're a web dev, or perhaps a video on this would be nice +Computerphile
7:14 Code like that, takes me waaay back 😂
Great video. I already know all this but know; PHP Sessions and Cookies are WAY different. Just like LocalStorage.
03:46 shows a Samsung subnotebook with a TrackPoint. Which model is it? I really need my TrackPoint, because TouchPads are crappy to use and whenever I have to use them, I feel the need to smash the machine against the wall. So what laptops are there that have a TrackPoint - except for Lenovo ThinkPads, of course??
Excellent video
I love that he’s using MariaDB
Prof. Can you please do a similar video for heap overflow? Thanks
Better not steal my cookies
:( Use the mysqli interface or PDO and prepared statements - do not use mysql_real_escape_string() any more. Come on Mike.
glad i wasn't the first to notice!!
haha, noticed that too. but let's keep in mind this application was not intended to be best practice let alone secure. he may be using the same app as an example for what not to do.
I really, really, really hope that this is not what he does when he actually writes a DB application :D
x In the video he specifically called out that he protected his database in the code. And he has.... provided there are no 0-day vulnerabilities with the current version of mysql-r-e-s() and that he's using the current version. Which are the reasons he should be using prepared statements.
well don't use mysql_real_escape_string() at all, coz that's been deprecated as of php5.5 and removed as of php7.. (all of the mysql module was removed as of php7, replaced by mysqli) (ofc prepared statements is the best way to go overall)
Mike, Ghostery is fine, but if you really want to have control over what the websites you're visiting do with your computer, I'd recommend tools like uBlock Origin, uMatrix (which is awesome!), NoScript and of course self-destructing cookies. RequestPolicy however is obsolete if you set up the "u-Addons" (uBlock/uMatrix) accordingly, because they can be set up in such a way that no cross-site-requests are being followed. Of course, most websites don't work in that setting, but then you can allow individual FQDNs (in uBlock Origin) and what is allowed to be loaded from an individual FQDN (in uMatrix), and in such a way websites can display their content, but don't execute the script that is intended to detect a tracking blocker, and so on.
The part at the end of the video, must be why, if you go to PayPal website and try to check everything on your account, it will constantly ask you to log in again, even if you just logged in again and 5 seconds later click a link that goes to another certain part of the account. This is annoying as hell, but I guess as you said, they do this to minimize risk.
It seems like a bit of a contrived example. Nicely explained, but I'd like to know whether this actually happens, how often it happens and how trivial it is to prevent it.
There is a computer worm called Samy. A guy wrote a script that executes whenever someone visits your myspace profile. I suggest you to check it.
I have seen an article that mysql_real_escape_string() is still open to SQL injection. That is why it's best to use PDO
Or in php you could use str_replace() instead.
Dario Volaric or use prepared statements
Zwembad Sniper That's what I said. PDO
i have a question when we using https protocol, then we can't steel cookies as far as i know then what we need to worry about steeling cookies?
It’s scary how easy doing these sorts of things are sometimes. If I recall, however, XSS attacks aren’t nearly that much of a threat because because of SSL. The request is private, and you’d have to forge the certificate, which is nearly impossible. Do I understand correctly?
i've stopped using ghostery since i found out that they were actually keeping details of your browsing history and selling it on for profit
I steal cookies from myself all the time due to my employers blasted authentication policies. We started using Azure DevOps, and they require you to authenticate via their ActiveDirectory, which only works on the company intranet. However, this is just for authentication; DevOps traffic isn't controlled in any way. And since all consultants work on their own machines, I didn't want to have to switch to company computer to use Azure DevOps, so I downloaded a Chrome cookie session plugin that lets me dump a session after I've validated on the company computer, and load those cookies up on my own machine, and bam: I'm in Azure DevOps on my own machine. :D
You used to be able to do this on Neopets, they used it for this, but they also used it to put silly pictures in post that shouldn't normally let you do it. People are funny sometimes.
When he said, "Can I change the shipping address?" a FedEx truck passed by my house o_o
Right at the start you recommend installing an app to stop cookies 'tracking our whereabouts' but I couldn't understand what you said. Ghost something?
Is that code still vulnerable to SQL injection?
I thought it should be using prepared statements and enforcing UTF-8?
Pure genius !
Is it legal to do this on your website images? So if someone else excepting yours users is using that image, they will also send their cookies to your website?
People seeing this image might not realise what just happened...
A part it's a cookie monster.
So rather getting an image from the server that holds the blog file, the attacker is redirecting the request to his submitcookie.php file on the attacker server. This .php file stores the cookie in a databse and returns back to the defendless user the cookie monster image. Am I understanding this correctly?
Why did they choose the name "cookie"?
Comes from fortunes cookies I think. They hold small bits of information, like fortune cookies.
thorin might know :>
iZz⤴c Thanks.
+holdream Maybe :>
Truth is nobody knows. There are several theories, the most likely of which seems to be that it's a reference to “magic cookies” (basically the same thing, but in pre-web age and nobody knows why those were called that either), but nobody really knows.
since most forums allow img tags, for pictures, (or tell me if they dont :p), doesnt it mean that practically every forum is vulnerable? what countermeasures do they use?
most fora use BBscript
Oh i see hahaha thanks Daviddadj
Why server does not use an IP address instead of cookie when it wishes to track clients requests and let's say shopping card? Because server can see only external IP address and can not see a local address of device. Is it the reason?
Curious how many folks will now try XSS here in the YT comments now. ;) alert('Weyhey!');
bruh you can't perform a XSS attack on yt dumbass
@@CiroDiMarzioComorra Do you know what a joke is?
Wheyhey!
Michael Mihalek woooosh?
@@CiroDiMarzioComorra But what about third party RUclips clients using its APIs to show the comment section?
hey test
Am I understanding this correctly or am I missing something?
The script that he sent is now a permanent part of the website as it will be loaded from the database as soon as a user requests to view the blog entries. When the script is loaded, the client will run it and send their cookie to the attacker's website. The user doesn't need to do anything other than load that blog post in order to send off their cookie?
RUclips is Smarter Than That
alert("if you see this alert, either now or in the future, they really aren't")
"if you see this alert, either now or in the future, they really aren't"
who knows, they could introduce a change at some point that RETROACTIVELY makes this exploit work...
is there a way then of securely allowing someone to comment on a post or whatever it might be with an image from another server... I dont see how you can protect yourself against that. You would just have to ensure they arent allowed parameters in their img html tag? and screw the fact that someone might use it to get a different sized image example image.jpg?width=150 < not allow that but the original image could be 4k
You do not allow for html nor javascript injections in the first place :)
My screen jumps up and down sometimes; - but I have an optical mouse ...it seems to stop when I turn the mouse upside down... - I could run wireshark but just stare at it like a spastic...
Ghostery itself does tracking. It's pretty messed up.
Privacy Badger for the win, or Disconnect.
The0x539 Yeah, I use disconnect personally.
AdBlock also does tracking, which is why people recommend the completely separate project AdBlock Plus
Nicholas Braden I suggest ublock origin over adblock plus.
hcblue I couldn't really say. Privacy badger is made by the EFF, which counts for something IMO. I haven't used it myself though.
Instructions unclear, the cookies monster came after me stoling it's cookies.
can you create a playlist for the videos ur posting
Is there the possibility of reading out the whole cookie file? I mean it's just a file on the computer which can be read out. Can Javascript do such things?
In a normal situation, wouldn't the post with the session cookie be stopped by the browser because of same origin policy?