Penetration Testing mailing list archives
Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Mon, 18 Dec 2000 20:48:33 -0800
On Mon, 18 Dec 2000, Ruso, Anthony wrote:
What are common methods used in decrypting/encrypting cookies. Would many of you trust the use of cookies to store - lets say - passwords and personal information.
Only to the extent that I trust the machine I leave the cookies lying around on. Do I have the option to not use cookies? Is this something the user would normally want to protect (i.e. many users are not interested in keeping their authentication information for porn sites secret, but they want their bank login secret.)
I'm trying to extract passwords from a clients website through the use of cookies. They used to store website passwords in clear text. I managed to convince them to encrypt them but how can I test their encryption choice and methods. My crypt-analysis experience is very basic.
Look at these items: Is the cookie the same size as the password? Does the size appear to be a function of the size of the password? Does it change each time it's set (i.e. is there salt?) Does it work if you drag it from machine to machine? If you change IP addresses? When does it expire? If it can be used as-is on a different machine, then it's just as good as a plain-text password, and you've probably bought very little by getting them to do this (warm fuzzies, really.) it boils down to the fact that there isn't a good way to store passwords on a client securely, short of another password to protect those. Probably the best you can do as a trade-off is see if there's a way to encode something special about the client... dunno, perhaps browser version and OS? Make sure the cookies expire after a reasonably short amount of time.. and make sure that the time info or a pointer to it at the server is included in the cookie, crypted as well. Ryan
Current thread:
- [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ruso, Anthony (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Mark Curphey (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ryan Russell (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Thomas Reinke (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Chris Keladis (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Fricke, Gregory D. (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ng, Kenneth (US) (Dec 19)