Vulnerability Development mailing list archives
Re: Cookies
From: Modify <modify () ATTRITION ORG>
Date: Thu, 10 Aug 2000 11:40:41 -0600
I have been playing around with a few sites that use cookies to save information on a client machine.. More specifically, a site that saves your zipcode so it can later be displayed when returned to do another search. The cookie reads as follows. zipcode21045somewhere.com/0427410342429433681205584222429360256* I later changed the zipcode "field" to 21046 just to see if it would accept the cookie eventhough I had changed the contents. zipcode21046somewhere.com/0427410342429433681205584222429360256* Low and behold the server accepted my changes and allowed the display of the new zipcode. So, I proceeded to add 200+ characters to the zipcode field and reloaded the page (cleared cache also). The zipcode field displayed nothing so I looked at the cookie itself to see what changes the server had made to the file. UniqueCountID%253D20e3a2%253Ae0d5a1a3b3%253A-800020e3a2%253Ae0d5a1a3b3%253A-769bsomewhere.com/carsapp0275700608031563020189661222429360256* It seems the server checked to see if the client exceeds the buffer of 5 and if so, it resets the cookie to a null value. After I entered the large data in the zipcode field I entered 6 characters and the server did the same thing.. only thing different was that this time the cookie was nowhere to be found on the client. Im unsure as to what the hash is doing exactly to keep this information sanitized. If I can change the values to whatever the heck I like. Unless this is a misconfiguration. If anybody has any information on what happens on server side... maybe email me with some notes off-list (or on). I have also noticed that some servers will give away web server information in a cookie. Karl On Wed, 9 Aug 2000, Slawek wrote:
Tuesday, August 08, 2000 11:28 PM +0200, Denis Ducamp wrote:On Tue, Aug 08, 2000 at 02:23:17PM -0400, Kev wrote:In one Web-accessible application I wrote, I did indeed put theauthenticationinformation in a cookie, but I also put an MD5 hash of the contents ofthecookie appended to a secret that I placed in a configuration file, topreventthis very security problem. I'm curious, though, if anyone can point out any problems with this approach?Do you verify that : <snip> . a cookie generated for an IP A can't be used by an IP B ? Difficulty : if the user is behind a proxy that doesn't give the clientIPthen another client behind that proxy may use that cookie. Other data as client software and version may be part of verified data.oops, afair some large ip-masquerading systems does use multiple IPs for masquerading. It may lead to requests from one user coming from more than one IP. some http proxies may use similar technique. just my $.02, Slawek
Current thread:
- Cookies George (Aug 06)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 09)
- Re: Cookies Kev (Aug 10)
- Re: Cookies Denis Ducamp (Aug 10)
- Re: Cookies Slawek (Aug 10)
- Re: Cookies Modify (Aug 10)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies George (Aug 07)
- Re: Cookies Crist Clark (Aug 09)
- Re: Cookies J Edgar Hoover (Aug 12)
- <Possible follow-ups>
- Re: Cookies netsec [davidv] (Aug 08)
- Re: Cookies Ryan Permeh (Aug 09)