EXPERT RESPONSE
Developers should take a three-step approach to avoid cookie poisoning:
- Do not store sensitive information in cookies
- If sensitive information must be stored in cookies, make it extremely difficult for a user to successfully modify it
- Validate all cookie values to ensure that they are well-formed and correct
First of all, cookies are communicated as part of the HTTP header traffic being passed back and forth between the Web server and the Web browser. This means there is no special status afforded to cookies that guarantees their values won't be changed in the time period between when the Web application sets them and when they are returned by the browser. Cookies are just "bits on the wire" and malicious users with a Web proxy tool are able to control the existence and value of cookies.
For this reason, sensitive information should not be stored in cookies and security-relevant decisions in code should never be made based on the values of cookies. If a Web application uses few or no cookies, and if these cookie values are only used for non-sensitive decision making then the impact of modified cookies will be decreased or eliminated.
If sensitive information must be stored in cookie values, this information should be encrypted using an industry-standard, well-tested algorithm such as AES. By encrypting the data, if a malicious user attempts to modify the value, the decryption process will fail.
If an application does use cookies to store information, it is crucial to treat these cookies like any other untrusted application input and positively validate them. If a cookie is used to store an integer value then the application must parse it to be sure it is a valid integer. If that integer must be within a given range, then the application must validate this as well. And so on. Also note: validating that a value is good is much more secure than checking for known "bad" values. If an application only checks for known "bad" values then an attacker who can craft a new, unanticipated "bad" value will have rendered the validation worthless.
Unfortunately, the ASP.NET platform does not really provide any platform-specific tools to help foil cookie poisoning attacks. The ASP.NET validation framework - very useful for validating Web control values - does not apply to cookies. However, the regular expression support in .NET can be a useful tool for validating expressions against positive criteria. As with most application security issues, it is up to the developer to make good design and coding decisions. This is the root of any good input validation strategy.
|
