Vulnerability Development mailing list archives

Re: Cookies

From: Kev <klmitch () MIT EDU>
Date: Tue, 8 Aug 2000 14:23:17 -0400

In an http application : no with a buffer overflow but yes to access
application privileges.
. The more often, the cookie is used to remember the login with which you
  authenticated. Change that cookie and you are someone else :-( !
. Other times, that cookie is used to remember which part of the web site
  you may access : change that cookie and you may access anywhere :-( !

Often the cookie is obfuscated with a pseudo cryptographic algorythm à la
xor using a short fixed length key.


In one Web-accessible application I wrote, I did indeed put the authentication
information in a cookie, but I also put an MD5 hash of the contents of the
cookie appended to a secret that I placed in a configuration file, to prevent
this very security problem.  I'm curious, though, if anyone can point out
any problems with this approach?
--
Kevin L. Mitchell <klmitch () mit edu>

Current thread:

Cookies George (Aug 06)
- Re: Cookies Denis Ducamp (Aug 07)
  - Re: Cookies Kev (Aug 09)
    - Re: Cookies Denis Ducamp (Aug 09)
    - Re: Cookies Kev (Aug 10)
    - Re: Cookies Denis Ducamp (Aug 10)
    - Re: Cookies Slawek (Aug 10)
    - Re: Cookies Modify (Aug 10)
- Re: Cookies Ryan Permeh (Aug 07)
- Re: Cookies Richard M. Smith (Aug 07)
  - Re: Cookies George (Aug 07)
    - Re: Cookies Crist Clark (Aug 09)
    - Re: Cookies J Edgar Hoover (Aug 12)

(Thread continues...)