Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [WEB SECURITY] cookies a fundamental threat?

from [Brian Eaton] Network Security [Permanent Link]
Subject: Re: [WEB SECURITY] cookies a fundamental threat?
Date: Mon, 1 May 2006 22:42:58 -0400 
Hi Achim -

On 4/30/06, Achim Hoffmann <kirke11@securenet.de> wrote: 
In contary hidden fields can only be attacked within the application itself,
more specific in the page they are used. Session riding is impossible, session
fixation very hard, just session hijacking remains but is not simple too (I'm
talking about automated attacks, not shoulder surfing).


I think this is where one of us is confused. =)

Amit's note on "Path Insecurity" described how to execute javascript
in the context of another document on the same server.  Is "Path
Insecurity" somehow limited to XSS attacks on cookies?  I don't
believe so; I suspect the same techniques AK used in that paper to
steal cookies that were accessible to other documents apply equally
well to reading hidden form fields in those documents.

I may be missing something from Amit's paper, though.  Please fill me
in if I am wrong.

Assuming I did understand Amit's paper properly, nearly all of the
attack techniques you listed in your note apply equally to hidden form
fields and cookies.  There are some practical differences.  For
example:

- Session fixation is easier with form fields than with cookies.  If
form fields are used for sessions, a session fixation attack can be
performed from any web server.  If cookies are used, it can only be
done from another web server in the same DNS domain.  Assuming the
application developer does the right thing and changes the session
cookie after authentication, session fixation is not possible in
either case.

- It is easier to steal a domain cookie than to steal a hidden form
field.  To steal a domain cookie, you just need a vulnerable server in
the same domain.  Stealing a form field requires a vulnerable page on
the server hosting the form.

The one distinct advantage cookies have over form fields is IE's
HttpOnly cookie extension.  HttpOnly doesn't make attacks impossible,
but it certainly does raise the bar a bit.

Regards,
Brian

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OT: Inserting Ads without breaking the SSL, elawford
Next by Date:  Re: Vista and the Type Safe missed oportunity (was Re: [SC-L] New security website: darkreading ), George Capehart
Previous by Thread:  Re: [WEB SECURITY] cookies a fundamental threat?, Achim Hoffmann
Next by Thread:  Re: [WEB SECURITY] cookies a fundamental threat?, Achim Hoffmann
Indexes:  [Date] [Thread] [Top] [All Lists]