WebApp Sec mailing list archives
Re: [WEB SECURITY] cookies a fundamental threat?
From: Achim Hoffmann <kirke11 () securenet de>
Date: Tue, 2 May 2006 23:10:38 +0200 (MEST)
On Tue, 2 May 2006, Brian Eaton wrote: !! If the advice is "use form fields instead of domain cookies", that !! makes plenty of sense. Domain cookies pose a greater risk than a well !! targeted form field. But to say that *all* cookies pose the same risk !! as domain cookies is a mistake. hmm, you're stiil missing my intention: the application cannot control if the send cookie is based on a particular path or domain attribut. !! Suggesting to someone that they should replace all of their !! application cookies with hidden form fields .. No, I didn't suggest to do that (see my original mail). I also gave hidden fields as one of a few posibilities. Please don't stick on hidden fields. If the brain storming here with all those good comments finally came to the suggestion to use anything else, that'll be fine :) !! .. is likely to waste their time. aha, here it is again: don't blame the developers ... !! https://bugzilla.mozilla.org/show_bug.cgi?id=178993#c49 HttpOnly is a good feature, and I'd recommend its usage too. But it is still something out of control of the application as long as it is not a common accepted thing *and* implemented flawless in all clients. Don't blame the browser vendors ... !! Arguing !! that using the "HttpOnly" attribute on a cookie doesn't count as web !! application security makes very little sense. Same question again: How does the application know that the send cookie was protected with the HttpOnly attribute? !! Actually, browsers are fairly consistent in how they handle cookies. Sorry have to disagree with that. As till explained in my initial post, there are random behaviours with path and domain attributes. Again the question: how does the application know why a cookie was send? Finally, there is no reason to say that cookie attributes (path, domain, httponly, secure, some more for Cookie2) are bad, it's just that there is no way for the application to know why the cookie it got was send, they don't contain these attributes. There's the threat. One major rule in web application security: don't trust client data. But cookies are always a big exception to that rule. Strange ... {-: Achim ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- cookies a fundamental threat? Brian Eaton (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 02)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)? Pilon Mntry (Apr 30)