WebApp Sec mailing list archives
Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
From: Dan Kuykendall <dan () kuykendall org>
Date: Thu, 27 Apr 2006 14:27:17 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin O'Neal wrote:
I know I'm not the one you are asking, but I think setting the path is LESS secure. Not because of any technical reason, given the fact that its easily circumvented, but because of the false sense of security that gets placed by developers using the path.Using the same logic though, one would be compelled to recommend not using SSL; the false sense of security 9-out-of-10 cats preferred. :P Martin...
But at least SSL is adding some layer of security, in that even if the web app has holes, the transport is still being encrypted. Using the path setting for the cookie offers no security, and should not be considered part of the security design, whereas SSL does belong as part of the security design. Im not saying its bad to use the path, it has its purpose, such as segmenting the cookies for the different apps using the same cookie names, but it should not be considered part of the security design. - -- Dan Kuykendall (aka Seek3r) http://www.mightyseek.com In God we trust, all others we virus scan. Programmer - an organism that turns coffee into software. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEUTc1K8FkGutbdPMRAncOAKCXuVU72+3XRNIHGnOKXloyiqP6xwCfRkOS lOPXG73N3qa28uRpwXozA/A= =Uagi -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 26)
- <Possible follow-ups>
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Dan Kuykendall (Apr 27)
- WebScarab Fuzzer Jason Murray (Jun 09)
- Re: WebScarab Fuzzer Vlad (Jun 11)
- Re: WebScarab Fuzzer Rogan Dawes (Jun 11)
- WebScarab Fuzzer Jason Murray (Jun 09)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 27)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Dan Kuykendall (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 28)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Brian Eaton (Apr 28)
(Thread continues...)