Antoine Delignat-Lavaud, Karthikeyan Bhargavan

The attacker wants to steal a secure cookie set by the server.

HTTP cookies have a flag that is used to mark them as "secure". This flag is used to instruct the browser to only send this cookie over HTTPS, and never over unencrypted connections. As a result, the web server can be sure that these authentication credentials can't be stolen by any type of network attacker. The cookie flag is appended at the end of the value, and if it's not present, the default behavior is to send it over unencrypted request. To perform this attack, the attacker needs to be able to generate and drop TCP packets from the victim's connection and be able to pad the response so that it can control the fragmentation point.

The attacker can make sure the HTTP response contains the cookie value and the cookie flags in different packets by padding the response with some attacker-controlled value in any of the response headers (such as a Location header). When the server sends the response to the user, the attacker can truncate the response and drop the second packet with the secure flag. As a result, the cookie is marked as insecure, and the browser will send it unencrypted on the next HTTP request to the server (at which point the attacker can read it).
About In Security Bugs Gallery you will find drawings of different stories inspired by software security vulnerabilities.
Creative Commons License