Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)?

from [Pilon Mntry] Network Security [Permanent Link]
Subject: Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)?
Date: Sun, 30 Apr 2006 23:40:21 -0700 (PDT) 


If I steal your cookies
via the forums (assuming PATH is / and they are both
on X.com), I have
your bank account. Naturally, it doesn't work that
way - just an
example.


You don't even have to assume that. Even if they
(forum and bank applications) use different Paths and
on different domains, you can still have the account.
:)

I'd like to add one more thing, which may seem a
little off-topic:
As G.McGraw points in his book, I think we may use
"risk" instead of "threat" in this case... 
Such as, "cookies a fundamental risk?" 

good discussion on cookies, xss, paths! while it may
seem old to big guys, it definetely increases
awareness.

-pilon


--- chris m <r0xes.ratm@gmail.com> wrote:


Cookies are not a threat to 'todays web
applications'.

It is how they are implemented, and what the
function of what they are
implemented by is (e.g. online banking), and what it
has (e.g.
forums).

If I steal your cookies
via the forums (assuming PATH is / and they are both
on X.com), I have
your bank account. Naturally, it doesn't work that
way - just an
example.

You must properly sanatise input, that's all.
Cookies are in no way insecure.

On 4/29/06, Brian Eaton <eaton.lists@gmail.com>
wrote:

On 4/29/06, Achim Hoffmann <kirke11@securenet.de>

wrote:

Well, my post is a bit off-topic to the initial

subject, but the question

and my other question "sequence of cookies in a

request" show again that

cookies are a fundametal threat in todays web

applications.

I claim too "There is no path security".
(cookie2 with encrypted values are a different

story, however ...)


I just went and looked up your old note in the

archives





(http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html).

 I didn't see any responses there.  One important

thing about the

order in which cookies are sent (that you didn't

mention in your

original note) is that they are sent with the most

restrictive path

first.  For example, if there are two cookies with

the same name, one

with a path of /one, and the other with a path of

/one/two, the

/one/two cookie is sent before the /one cookie.

I'm not entirely in agreement with your statement,

"cookies are a

fundamental threat in todays web applications." 

There is simply not a

viable replacement for the functionality they

provide.  When misguided

folks suggest that a web application not use

cookies for security

reasons, web developers just turn around and use

hidden form fields.

Hidden form fields and cookies are exactly the

same from a security

perspective.  It's just one is more difficult to

implement.


If a developer is going to spend time worrying

about cookies, I'd

rather they worried about something useful like

whether they are using

a proper random number generator for their session

IDs.


I'm just not seeing the fundamental threat from

cookies that you

describe.  Would you explain a little more fully

what you mean?


Regards,
Brian





-------------------------------------------------------------------------

Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and

leading web application

security testing suite, and the only solution to

provide comprehensive

remediation tasks at every level of the

application. Change the way you

think about application security testing - See for

yourself.

Download a Free Trial of AppScan 6.0 today!





https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF





--------------------------------------------------------------------------







---------------------------------------------------------------------

The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: [WEB SECURITY] cookies a fundamental threat?, Achim Hoffmann
Previous by Thread:  Re: cookies a fundamental threat?, chris m
Next by Thread:  yahoo mail login security, Ace123
Indexes:  [Date] [Thread] [Top] [All Lists]