Bugtraq mailing list archives
Re: cache cookies?
From: Nick Lamb <njl98r () ECS SOTON AC UK>
Date: Fri, 15 Dec 2000 20:52:17 +0000
On Thu, Dec 14, 2000 at 02:06:48AM -0500, Thomas Reinke wrote:
Actually, it *does* work. We have on our site a working demonstration of the exploit, showing whether or not you've visited one or more of more than 80 different well known sites. The URL is http://www.securityspace.com/exploit/exploit_2a.html
Not very impressive. Mozilla M18 showed very poor results, spotting only one of the sites I had visited (out of a dozen or so), and on subsequent loads after visiting more sites it reported "Cache hit" for everything. Tests with other sites, with a fresh browser config, on different systems, revealed that test results stayed low, sometimes zero effectiveness, usually less than 50%. To collect each "bit" of info the browser opened ports to servers quite unrelated to the request, causing Cookie warning pop-ups for sites I've never heard of. In a medium-paranoid setting this was setting off more flashing lights than our local Christmas display. If someone started using this on the public it would be detected quickly, and while it's difficult to really defeat (which might make it attractive to some organisations) it would also be very hard to maintain, because it relies on understanding the site design of each target to get a "good" cache cookie. Only one "attacker" can use it on the net safely, because using it on someone once effectively "immunises" them against further attack for an indefinite period of time. Defense means hitting "flush cache" after visiting disreputable or embarassing sites.
That is actually trivial to bypass through a simple flag that indicates what has and has not been checked.
Where would you store this flag? In a Cookie? Nick.
Attachment:
_bin
Description:
Current thread:
- Re: cache cookies? Clover Andrew (Dec 14)
- Re: cache cookies? Thomas Reinke (Dec 15)
- Re: cache cookies? James N. Potts (Dec 16)
- Re: cache cookies? Dan Harkless (Dec 16)
- Re: cache cookies? MadHat (Dec 18)
- Re: cache cookies? Steve Shockley (Dec 16)
- Re: cache cookies? Rossen Raykov (Dec 16)
- Re: cache cookies? Nick Lamb (Dec 18)
- Re: cache cookies? Thomas Reinke (Dec 18)
- Re: cache cookies? Kee Hinckley (Dec 16)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- Re: cache cookies? James Taylor (Dec 19)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- <Possible follow-ups>
- Re: cache cookies? Rob Lemos (Dec 18)
- Re: cache cookies? Wham Bang (Dec 18)
- Re: cache cookies? Lincoln Yeoh (Dec 19)
- Re: cache cookies? Wham Bang (Dec 19)
- Re: cache cookies? Thomas Reinke (Dec 15)