Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

cookies a fundamental threat?

from [Brian Eaton] Network Security [Permanent Link]
Subject: cookies a fundamental threat?
Date: Sat, 29 Apr 2006 20:06:09 -0400
On 4/29/06, Achim Hoffmann <kirke11@securenet.de> wrote: 
Well, my post is a bit off-topic to the initial subject, but the question
and my other question "sequence of cookies in a request" show again that
cookies are a fundametal threat in todays web applications.
I claim too "There is no path security".
(cookie2 with encrypted values are a different story, however ...)


I just went and looked up your old note in the archives
(http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html).
I didn't see any responses there.  One important thing about the
order in which cookies are sent (that you didn't mention in your
original note) is that they are sent with the most restrictive path
first.  For example, if there are two cookies with the same name, one
with a path of /one, and the other with a path of /one/two, the
/one/two cookie is sent before the /one cookie.

I'm not entirely in agreement with your statement, "cookies are a
fundamental threat in todays web applications." There is simply not a
viable replacement for the functionality they provide. When misguided
folks suggest that a web application not use cookies for security
reasons, web developers just turn around and use hidden form fields. Hidden form fields and cookies are exactly the same from a security
perspective. It's just one is more difficult to implement.

If a developer is going to spend time worrying about cookies, I'd
rather they worried about something useful like whether they are using
a proper random number generator for their session IDs.

I'm just not seeing the fundamental threat from cookies that you
describe.  Would you explain a little more fully what you mean?

Regards,
Brian

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • cookies a fundamental threat?, Brian Eaton <=
Previous by Date:  Re: [WEB SECURITY] Fundamental error in Corsaire's paper?, Achim Hoffmann
Previous by Thread:  SF new article announcement: Five common Web application vulnerabilities, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]