Vulnerability Development mailing list archives
Re: Cookies
From: "netsec [davidv]" <netsec () GFI COM>
Date: Tue, 8 Aug 2000 10:12:33 +0200
Recently at a local ISP while invetigating how he uses cookies i was really shocked when is aw that by just changing the a variable integer stored in a cookie you will immediatly be someone else for the webserver. Now if the ISP has a web management for the particular user then there will be big problems. However (pls. correct me if im wrong) the cookie format fields is not an actual standard by the webserver as regards to the data stored, most probably it is the programmer who programmes the format of the cookie in his own way. So we cannot have a common template of a cookie which you can say this is exploitable, this is not! It all boils down to the way a specific programmer decides to program. Please correct me if im wrong. David Vella
-----Original Message----- From: Denis Ducamp [mailto:Denis.Ducamp () HSC FR] Sent: Sunday, August 06, 2000 11:30 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Cookies On Sun, Aug 06, 2000 at 10:20:58AM -0400, George wrote:A few friends of mine were discussing the possibility of acustom craftedcookie replacing a valid cookie on a client machine beingused to exploitthe web server that placed the first cookie on the client. Has anyone looked at the possibility of editing a cookie to search for/exploit buffer overflows in the server side code thatreads cookies? If In the web server itself : no In an http application : no with a buffer overflow but yes to access application privileges. The more often, the cookie is used to remember the login with which you authenticated. Change that cookie and you are someone else :-( ! Other times, that cookie is used to remember which part of the web site you may access : change that cookie and you may access anywhere :-( ! Often the cookie is obfuscated with a pseudo cryptographic algorythm à la xor using a short fixed length key.there is any information on this sort of technique I wouldappreciate apointer.Don't know such a public document. Denis Ducamp. -- Denis.Ducamp () hsc fr -- Hervé Schauer Consultants -- http://www.hsc.fr/
GFI - Security & communications products for Windows NT/2000 http://www.gfi.com ********************************************************** This mail was content checked for malicious code or viruses by Mail essentials. Mail essentials for Exchange/SMTP is an email security, content checking & anti-virus gateway that removes all types of email-borne threats before they can affect your email users. Spam, viruses, dangerous attachments & offensive content can be removed before they reach your mail server. In addition it has server-based email encryption, disclaimers and other email features. *********************************************************** In addition to Mail essentials, GFI also produces the FAXmaker fax server product range & LANguard internet access control & intrusion detection. For more information on our products please visit http://www.gfi.com
Current thread:
- Re: Cookies, (continued)
- Re: Cookies Kev (Aug 10)
- Re: Cookies Denis Ducamp (Aug 10)
- Re: Cookies Slawek (Aug 10)
- Re: Cookies Modify (Aug 10)
- Re: Cookies George (Aug 07)
- Re: Cookies Crist Clark (Aug 09)
- Re: Cookies J Edgar Hoover (Aug 12)
- Re: Cookies Ryan Permeh (Aug 09)