Re: [WEB SECURITY] cookies a fundamental threat?

[Achim Hoffmann <kirke11 () securenet de>]

On Tue, 2 May 2006, Brian Eaton wrote:

!! If the advice is "use form fields instead of domain cookies", that
!! makes plenty of sense.  Domain cookies pose a greater risk than a well
!! targeted form field.  But to say that *all* cookies pose the same risk
!! as domain cookies is a mistake.

hmm, you're stiil missing my intention: the application cannot control
if the send cookie is based on a particular path or domain attribut.

!! Suggesting to someone that they should replace all of their
!! application cookies with hidden form fields ..

No, I didn't suggest to do that (see my original mail). I also gave
hidden fields as one of a few posibilities. Please don't stick on
hidden fields.
If the brain storming here with all those good comments finally came to
the suggestion to use anything else, that'll be fine :)

!! .. is likely to waste their time.

aha, here it is again: don't blame the developers ...

!! https://bugzilla.mozilla.org/show_bug.cgi?id=178993#c49

HttpOnly is a good feature, and I'd recommend its usage too.
But it is still something out of control of the application as long as it is
not a common accepted thing *and* implemented flawless in all clients.
Don't blame the browser vendors ...

!! Arguing
!! that using the "HttpOnly" attribute on a cookie doesn't count as web
!! application security makes very little sense.

Same question again: How does the application know that the send cookie was
protected with the HttpOnly attribute?

!! Actually, browsers are fairly consistent in how they handle cookies.

Sorry have to disagree with that. As till explained in my initial post,
there are random behaviours with path and domain attributes.
Again the question: how does the application know why a cookie was send?


Finally, there is no reason to say that cookie attributes (path, domain,
httponly, secure, some more for Cookie2) are bad, it's just that there is
no way for the application to know why the cookie it got was send, they
don't contain these attributes. There's the threat.
One major rule in web application security: don't trust client data.
But cookies are always a big exception to that rule. Strange ...

{-: Achim


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------