The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws

Kostas Drakonakis*, Sotiris Ioannidis†, Jason Polakis‡ *FORTH, Greece | †Technical University of Crete, Greece | ‡University of Illinois at Chicago

Overview

In this paper, we focus on authentication and authorization flaws in web apps that enable partial or full access to user accounts. Specifically, we develop a novel fully automated black-box auditing framework that analyzes web apps by exploring their susceptibility to various cookie-hijacking attacks while also assessing their deployment of pertinent security mechanisms (e.g., HSTS). Our modular framework is driven by a custom browser automation tool developed to transparently offer fault-tolerance during extended interactions with web apps. We use our framework to conduct the first automated large-scale study of cookie-based account hijacking in the wild. As our framework handles every step of the auditing process in a completely automated manner, including the challenging process of account creation, we are able to fully audit 25K domains. Our framework detects more than 10K domains that expose authentication cookies over unencrypted connections, and over 5K domains that do not protect authentication cookies from JavaScript access while also embedding third party scripts that execute in the first party's origin. Our system also automatically identifies the privacy loss caused by exposed cookies and detects 9,324 domains where sensitive user data can be accessed by attackers (e.g., address, phone number, password). Overall, our study demonstrates that cookie-hijacking is a severe and prevalent threat, as deployment of even basic countermeasures (e.g., cookie security flags) is absent or incomplete, while developers struggle to correctly deploy more demanding mechanisms.


Research Paper

Details of our research can be found in the following paper:

The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws [PDF][BibTex]

Kostas Drakonakis, Sotiris Ioannidis, Jason Polakis
in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, November 2020

FAQ

Is any data or code available to the public?

We have made our robust browser automation framework public so as to aid further reasearch towards various vectors of web application security auditing. See below for download info.

How to cite source code or the paper?

If you use our open-source modules or otherwise conduct research related to our work, please cite our paper:

@inproceedings{cookie_hunter_2020,
	author = {Drakonakis, Kostas and Ioannidis, Sotiris and Polakis, Jason},
	title = {The Cookie Hunter: Automated Black-Box Auditing for Web Authentication and Authorization Flaws},
	year = {2020},
	isbn = {9781450370899},
	publisher = {Association for Computing Machinery},
	address = {New York, NY, USA},
	url = {https://doi.org/10.1145/3372297.3417869},
	doi = {10.1145/3372297.3417869},
	booktitle = {Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security},
	pages = {1953–1970},
	numpages = {18},
	keywords = {authorization, authentication, web security, cookie hijacking, session hijacking},
	location = {Virtual Event, USA},
	series = {CCS '20}
}


Can I have access to the auditing results?

We have decided not to make our auditing results publicly available, due to their sensitive nature. However, individual results are available after proving ownership of the respective domain.

To access your domain's results, follow the instructions in this link.

Download code

You can find our browser automation framework here:
XDriver for Python 2.7
XDriver for Python 3.8

Contact

For any questions or suggestions, please email kostasdrk@ics.forth.gr