2. Stateless is Good
• Don't need to synchronize between
servers
• No bloated session objects on
servers
• REST
3. REST Constraint
Stateless
The client–server communication is further
constrained by no client context being stored
on the server between requests. Each request
from any client contains all of the information
necessary to service the request, and any
session state is held in the client.
17. Triple Submit
(CSRF protection)
Random HttpOnly cookie
Cookie value as
JavaScript variable
18. Triple Submit
(CSRF protection)
Random HttpOnly cookie
Cookie value as
request parameter
Stateful:
Cookie name saved in server session
Stateless:
Server only accepts one such cookie (checks format)
19. The 3rd Submit
• The server sets an HttpOnly cookie
with a random name and random
value
• The server tells the client the value
of the random cookie, not the name
• The client submits the value of the
cookie as a request parameter
20. The 3rd Submit
• The server sets an httpOnly cookie
response.addHeader("Set-Cookie",
randomName a random randomValue + ";
with + "=" + name and random
value
HttpOnly; path='/'; domain=.1-liner.org");
• The server tells the client the value
of the random cookie, not the name
• The client submits the value of the
cookie as a request parameter
21. The 3rd Submit
• The server sets an httpOnly cookie
with a random name and random
value
<script>
• The server tells the<%= randomValue %>;
var ANTI_CSRF_TRIPLE = client the value
of the random cookie, not the name
</script>
• The Client submits the name and
value of the cookie as a request
parameter
22. The 3rd Submit
• Cookie value as parameter
• The cookie name
• The cookie value
24. Yes.
When a browser reaches
its limit for cookies for a
domain
it starts to delete older
cookies, including
Credit: http://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/
25. So the attacker can delete
the HttpOnly cookie(s)
this way and then set
them to a controlled
value,
effectively overwriting
26. var overflowCookieJar =
function() {
var name = "marker",
val = "markerVal",
counter = 0;
// Set an initial cookie as a marker
$.cookie(name, val,
{path: "/", domain: ".1-liner.org"});
// Set new cookies until marker is gone
while($.cookie(name) == val) {
$.cookie(name + counter++, val,
{path: "/", domain: ".1-liner.org"});
}
// Return number of cookies needed
return counter;
}