WebApp Sec mailing list archives
Re: Cross Site Cooking
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Tue, 31 Jan 2006 14:26:28 +0100 (CET)
On Tue, 31 Jan 2006 john-secfocus () o-rourke org wrote:
Although it's all definitely a security risk, there's no way all vendors would change the mechanism without keeping backwards compatibility, it would cause chaos. So with my sites I always put a checksum in the cookie data, which allows the website to be certain no clients have altered the data manually.
Yup, but this still poses a certain problem with session cookies. The scenario is that the attacker acquires a session ID from the server, keeps it alive by prodding the server once in a while, then plants this ID on client's machine. Should the victim authenticate with the server within that session ID, his account might become compromised. Cryptographic protection against replay attacks is of no use, because session cookies must be replayable. The only half-solution is to associate session ID with a certain IP range - but that still means that, for example, any AOL subscriber can attack any other AOL subscriber. Cheers, /mz ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- Cross Site Cooking Michal Zalewski (Jan 28)
- <Possible follow-ups>
- RE: Cross Site Cooking Amit Klein (AKsecurity) (Jan 29)
- RE: Cross Site Cooking Michal Zalewski (Jan 30)
- Re: Cross Site Cooking Aman Raheja (Jan 31)
- Re: Cross Site Cooking Michal Zalewski (Feb 02)
- Re: Cross Site Cooking john-secfocus (Jan 31)
- Re: Cross Site Cooking Erwan Legrand (Jan 31)
- Re: Cross Site Cooking Michal Zalewski (Jan 31)
- RE: Cross Site Cooking Evans, Arian (Jan 31)