Chris Eng, director of security services at Burlington, Mass.-based security analysis firm Veracode Inc., on Thursday demonstrated several techniques for analyzing encrypted data in Web applications and recovering sensitive information, such as usernames and passwords.
Eng, a veteran penetration tester and former consultant for security giant Symantec Corp. and @stake, said there's no need to bother attacking the algorithms used to encrypt data in cookies if you understand how a Web application's cryptosystem works.
He cited an example in which a Web application uses a block cipher to encrypt cookie data. By examining the ciphertext, Eng could see that the cipher was in Electronic Code Book (ECB) mode, which means that identical plaintext blocks are encrypted identically and are easy to recognize. Eng then began modifying pieces of data in the cookie that he could control, such as the email address, and observing how the modifications changed the block.
Once he identified where in the block those pieces of data were, he could manipulate the ciphertext itself, using it to build his own cookie for the site and impersonate another user.
"This isn't a brand new attack, but it takes some time to understand how it works and what it can do for you," Eng said. "There are major companies with live Web apps that are at risk from this."