Vulnerability Development mailing list archives
Re: Cookies
From: Kev <klmitch () MIT EDU>
Date: Tue, 8 Aug 2000 14:23:17 -0400
In an http application : no with a buffer overflow but yes to access application privileges. . The more often, the cookie is used to remember the login with which you authenticated. Change that cookie and you are someone else :-( ! . Other times, that cookie is used to remember which part of the web site you may access : change that cookie and you may access anywhere :-( ! Often the cookie is obfuscated with a pseudo cryptographic algorythm à la xor using a short fixed length key.
In one Web-accessible application I wrote, I did indeed put the authentication information in a cookie, but I also put an MD5 hash of the contents of the cookie appended to a secret that I placed in a configuration file, to prevent this very security problem. I'm curious, though, if anyone can point out any problems with this approach? -- Kevin L. Mitchell <klmitch () mit edu>
Current thread:
- Cookies George (Aug 06)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 09)
- Re: Cookies Kev (Aug 10)
- Re: Cookies Denis Ducamp (Aug 10)
- Re: Cookies Slawek (Aug 10)
- Re: Cookies Modify (Aug 10)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies George (Aug 07)
- Re: Cookies Crist Clark (Aug 09)
- Re: Cookies J Edgar Hoover (Aug 12)