Cross-site cooking
Encyclopedia
Cross-site cooking is a type of browser exploit
which allows a site
Cross-site cooking can be used to perform session fixation
attacks, as a malicious site can fixate the session identifier cookie
of another site.
Other attack scenarios may also possible, for example:
Cross site. Cross-site cooking is similar in concept to cross-site scripting
, cross-site request forgery
, cross-site tracing
, cross-zone scripting
etc., in that it involves the ability to move data or code between different web sites (or in some cases, between e-mail / instant messages and sites). These problems are linked to the fact that a web browser
is a shared platform for different information / applications / sites. Only logical security boundaries maintained by browsers ensures that one site cannot corrupt or steal data from another. However a browser exploit
such as cross-site cooking can be used to move things across the logical security boundaries.
in 2006. The name is a mix of cookie
and cross-site
, attempting to describe the nature of cookies being set across sites.
In Michal Zalewski's article of 2006, Benjamin Franz was credited for his discovery, who in May 1998 reported a cookie domain related vulnerability to vendors. Benjamin Franz published the vulnerability and discussed it mainly as a way to circumvent "privacy protection" mechanisms in popular browsers. Michal Zalewski concluded that the bug, 8 years later, was still present (unresolved) in some browsers and could be exploited for cross-site cooking. Various remarks such as "vendors [...] certainly are not in a hurry to fix this" were made by Zalewski and others.
Browser exploit
A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user's browser settings without their knowledge...
which allows a site
attacker
to set a cookie for a browser
into the cookie domain of another site server
.Cross-site cooking can be used to perform session fixation
Session fixation
In computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate another person's session identifier...
attacks, as a malicious site can fixate the session identifier cookie
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
of another site.
Other attack scenarios may also possible, for example:
attacker
may know of a security vulnerability in server
, which is exploitable using a cookie. But if this security vulnerability requires e.g. an administrator password which attacker
does not know, cross-site cooking could be used to fool innocent users to unintentionally perform the attack.Cross site. Cross-site cooking is similar in concept to cross-site scripting
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
, cross-site request forgery
Cross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
, cross-site tracing
Cross-site tracing
Cross-site tracing is a network security vulnerability exploiting the HTTP TRACE method.XST scripts exploit ActiveX, Flash, or any other controls that allow executing an HTTP TRACE request. The HTTP TRACE response includes all the HTTP headers including authentication data and HTTP cookie...
, cross-zone scripting
Cross-zone scripting
Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client executing the script...
etc., in that it involves the ability to move data or code between different web sites (or in some cases, between e-mail / instant messages and sites). These problems are linked to the fact that a web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
is a shared platform for different information / applications / sites. Only logical security boundaries maintained by browsers ensures that one site cannot corrupt or steal data from another. However a browser exploit
Browser exploit
A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user's browser settings without their knowledge...
such as cross-site cooking can be used to move things across the logical security boundaries.
Origins
The name cross-site cooking and concept was presented by Michal ZalewskiMichal Zalewski
Michał Zalewski , also known by the user name lcamtuf, is a "white hat" hacker, computer security expert from Poland and a Google Inc. employee....
in 2006. The name is a mix of cookie
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
and cross-site
Cross-site
Cross-site can refer to the following network security exploits:*Cross-site cooking*Cross-site request forgery*Cross-site scripting*Cross-site tracing...
, attempting to describe the nature of cookies being set across sites.
In Michal Zalewski's article of 2006, Benjamin Franz was credited for his discovery, who in May 1998 reported a cookie domain related vulnerability to vendors. Benjamin Franz published the vulnerability and discussed it mainly as a way to circumvent "privacy protection" mechanisms in popular browsers. Michal Zalewski concluded that the bug, 8 years later, was still present (unresolved) in some browsers and could be exploited for cross-site cooking. Various remarks such as "vendors [...] certainly are not in a hurry to fix this" were made by Zalewski and others.
External links
- Cross-Site Cooking article by Michal Zalewski. Details concept, 3 bugs which enables Cross Site Cooking. One of these bugs is the age old bug originally found by Benjamin Franz.