john-secfocus@o-rourke.org wrote:
It's probably better referring to the cookies RFC
(ftp://ftp.rfc-editor.org/in-notes/rfc2965.txt) rather than a very old article
(http://www.ciac.org/ciac/bulletins/i-034.shtml).
The RFC doesn't mention anything about numbers of dots and specific domains.
Well, actually the RFC specifies the domain must either match the
hostname or begin with a dot and have at least an embeded dot or be
".local". Anyway, in practice what matters is not the RFC but the actual
behaviour of the software used, i.e. MSIE or Mozilla/Firefox in most cases.
Although it's all definitely a security risk, there's no way all vendors would
change the mechanism without keeping backwards compatibility, it would cause
chaos. So with my sites I always put a checksum in the cookie data, which
allows the website to be certain no clients have altered the data manually.
The correct use of a MAC (which is more than just a checksum) will
indeed make cookie tempering practically impossible. Unfortunately, it
will not block session fixation exploitations as explained at the end of
problem #1 in Michal's original mail. It's an application logic problem.
The only way to fix this is to make the session begin once the user is
authenticated, not before.
--
Erwan Legrand
Responsable Technique Produits
elegrand@denyall.com
Tel : +33 (0)1 40 07 47 28
GSM : +33 (0)6 16 60 26 09
Fax : +33 (0)1 40 07 47 27
Deny All - 23, rue Notre-Dame des Victoires 75002 Paris - France
www.denyall.com
-------------------------------------------------------------------------
This List Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
