Vulnerability Development mailing list archives
Re: Cookies
From: George <georger () NLS NET>
Date: Sun, 6 Aug 2000 17:19:47 -0400
Yep, I thought about it some. Never did an experiments however. I assume that it is illegal to break into someone else's Web server in this way.
I would assume that if their webserver is requesting information stored on my computer, it is their responsibility to verify that data, not mine?
The nickname I gave to the problem is "poison cookie".
Excellent name. One of the possibilities I'm currently looking at is if someone were to write a program that goes thru their cookies and sets all digits it finds to zero, could this cause a divide by zero type error back at the server end. The other possibility we discussed was embedding odd characters (ascii values or unicode) into the existing cookies and what possible problems that might cause for a cookie parser. I guess there is a third possibility as well, if a cookie is say 200 bytes long, lenghtening it to 20,000 bytes could possibly cause a problem. Geo.
Current thread:
- Cookies George (Aug 06)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 09)
- Re: Cookies Kev (Aug 10)
- Re: Cookies Denis Ducamp (Aug 10)
- Re: Cookies Slawek (Aug 10)
- Re: Cookies Modify (Aug 10)
- Re: Cookies Kev (Aug 09)
- Re: Cookies Denis Ducamp (Aug 07)
- Re: Cookies George (Aug 07)
- Re: Cookies Crist Clark (Aug 09)
- Re: Cookies J Edgar Hoover (Aug 12)
- <Possible follow-ups>
- Re: Cookies netsec [davidv] (Aug 08)
- Re: Cookies Ryan Permeh (Aug 09)