WebApp Sec mailing list archives
RE: Critical New Web Application Vulnerability Alert BOB23203115
From: "Arian J. Evans" <arian () anachronic com>
Date: Tue, 21 Dec 2004 13:04:34 -0600
Let's clarify: this was a joke. And it wasn't. In a stateless environment are we doing user or entity authentication with our session token? So are we going to enhance that by doing dual-factor entity authentication? (SSL + session token...guess we already are). So add in tri-factor (secret URL hash token)? Is our goal only to "raise the bar". Or do we add in user-supplied authentication of some sort? Address state/session management principles? Lots of questions. Lots of answers. I'm responding to this publicly as you might not be the only one I confused. And because your response is the funniest one I've gotten. Thank you,
-----Original Message----- From: Sent: Monday, December 20, 2004 11:43 PM To: arian () anachronic com Arian, I am not sure what the point of your "Cross X Double-Free Session Riding Turbo Champion Gold" advisory is.
[...] (me neither) [...]
Secondary your mitigation suggestions are entirely impractical for any production system. (ie. Having the user supply information on every single page.)
Observant.
Any person subscribed to the security mailing lists are already following best recommended practices. So you're advisory is basically "yet another reason why you should follow best recommended practices."
What planet do you live on? Best practices my ass. But I get your point: you got no value from my advisory. =)
Furthermore I don't understand how you can critize SecureNet GmbH's "Session Riding" advisory for "overzealous marketing" and then proceed to invite media to contact you and you're plan to release a press release. If "Turbo Champion Gold" isn't marketing jargon I don't know what is.
You busted me sir. The truth is out. I'm a media wh***. Now go spike your eggnog and relax. Arian J. Evans, Easy to Autodelete, Uninformed Information Security Opinion at Large, -and- Purveyor of Anachrony http://www.anachronic.com (Signed pictures of me are available upon request)
Current thread:
- Critical New Web Application Vulnerability Alert BOB23203115 Arian J. Evans (Dec 20)
- <Possible follow-ups>
- RE: Critical New Web Application Vulnerability Alert BOB23203115 Arian J. Evans (Dec 22)