Vulnerability Development mailing list archives
Re: Cookies
From: Denis Ducamp <Denis.Ducamp () HSC FR>
Date: Tue, 8 Aug 2000 23:28:11 +0200
On Tue, Aug 08, 2000 at 02:23:17PM -0400, Kev wrote:
In an http application : no with a buffer overflow but yes to access application privileges. . The more often, the cookie is used to remember the login with which you authenticated. Change that cookie and you are someone else :-( ! . Other times, that cookie is used to remember which part of the web site you may access : change that cookie and you may access anywhere :-( ! Often the cookie is obfuscated with a pseudo cryptographic algorythm à la xor using a short fixed length key.In one Web-accessible application I wrote, I did indeed put the authentication information in a cookie, but I also put an MD5 hash of the contents of the cookie appended to a secret that I placed in a configuration file, to prevent this very security problem. I'm curious, though, if anyone can point out any problems with this approach?
Do you verify that : . the cookie (before md5) isn't guessable. If the cookie mustn't be based only on constants (username, userid, fixed secret password). The better is to choose a random number at each authentification. . a cookie generated for an IP A can't be used by an IP B ? Difficulty : if the user is behind a proxy that doesn't give the client IP then another client behind that proxy may use that cookie. Other data as client software and version may be part of verified data. . when a cookie is generated for a user, that user doesn't have another cookie yet ? . a cookie received by the server hasn't exceeded its time to live ? The user have to reauthenticate himself regularly during a session. The cookie must disapear when the client is closed. Denis. -- Denis.Ducamp () hsc fr -- Hervé Schauer Consultants -- http://www.hsc.fr/
Current thread:
- Cookies George (Aug 06)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 09)
- Re: Cookies Kev (Aug 10)
- Re: Cookies Denis Ducamp (Aug 10)
- Re: Cookies Slawek (Aug 10)
- Re: Cookies Modify (Aug 10)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies George (Aug 07)
- Re: Cookies Crist Clark (Aug 09)
- Re: Cookies J Edgar Hoover (Aug 12)