Re: cookies a fundamental threat?

["chris m" <r0xes.ratm () gmail com>]

Cookies are not a threat to 'todays web applications'.

It is how they are implemented, and what the function of what they are
implemented by is (e.g. online banking), and what it has (e.g.
forums).

If I steal your cookies
via the forums (assuming PATH is / and they are both on X.com), I have
your bank account. Naturally, it doesn't work that way - just an
example.

You must properly sanatise input, that's all. Cookies are in no way insecure.

On 4/29/06, Brian Eaton <eaton.lists () gmail com> wrote:
> On 4/29/06, Achim Hoffmann <kirke11 () securenet de> wrote:
> > Well, my post is a bit off-topic to the initial subject, but the question
> > and my other question "sequence of cookies in a request" show again that
> > cookies are a fundametal threat in todays web applications.
> > I claim too "There is no path security".
> > (cookie2 with encrypted values are a different story, however ...)
>
> I just went and looked up your old note in the archives
> (http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html).
>  I didn't see any responses there.  One important thing about the
> order in which cookies are sent (that you didn't mention in your
> original note) is that they are sent with the most restrictive path
> first.  For example, if there are two cookies with the same name, one
> with a path of /one, and the other with a path of /one/two, the
> /one/two cookie is sent before the /one cookie.
>
> I'm not entirely in agreement with your statement, "cookies are a
> fundamental threat in todays web applications."  There is simply not a
> viable replacement for the functionality they provide.  When misguided
> folks suggest that a web application not use cookies for security
> reasons, web developers just turn around and use hidden form fields.
> Hidden form fields and cookies are exactly the same from a security
> perspective.  It's just one is more difficult to implement.
>
> If a developer is going to spend time worrying about cookies, I'd
> rather they worried about something useful like whether they are using
> a proper random number generator for their session IDs.
>
> I'm just not seeing the fundamental threat from cookies that you
> describe.  Would you explain a little more fully what you mean?
>
> Regards,
> Brian
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. Change the way you
> think about application security testing - See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
> --------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------