Vulnerability Development mailing list archives
Re: How to prevent malicious linking/posting to webapps?
From: Robert Collins <robert.collins () ITDOMAIN COM AU>
Date: Thu, 14 Sep 2000 22:48:36 +1100
<..>
I am also assuming that cookies could be stolen by the attacker through stuff like javascript (ick!). However the attacker cannot directly use these cookies if we tie the session-ids to the legitimate user's source IP (risking problems for some legit users). Thus it's more likely for the stolen cookie info to be used to launch a less direct attack - like malicious links/redirects.
Using the client IP for any http or otherwise (officially) proxiable protocol, will break many corporate /private LAN configurations. Many proxies mask the IP of the client behind them, and in a load balanced situation the various requests may well come from a different proxy for each request. Also in Http1.1 the proxy-server connection is explicitly disjointed from the client-proxy connection, meaning that you may well have a single http connection, that handles requests for 3 or 4 different users. I agree with the concept of one-time cookies but your nonce must not be tied to any transport layer information - http doesn't guarantee that to stay consistent at all. Perhaps Digest Authentication (RFC 2617) could provide some inspiration? Or you could even use digest authentication, and pass the session id as the nonce for the client to hash? Rob
Current thread:
- Re: All Advantage Spyware, (continued)
- Re: All Advantage Spyware Nick Summy (Sep 12)
- Re: All Advantage Spyware Justin Lintz (Sep 12)
- Re: All Advantage Spyware Robert Collins (Sep 12)
- Re: All Advantage Spyware Blue Boar (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware Thierry (Sep 12)
- Message not available
- Re: All Advantage Spyware Dimitry Andric (Sep 12)
- How to prevent malicious linking/posting to webapps? Lincoln Yeoh (Sep 12)
- Re: How to prevent malicious linking/posting to webapps? Bluefish (P.Magnusson) (Sep 12)
- Re: How to prevent malicious linking/posting to webapps? Lincoln Yeoh (Sep 13)
- Re: How to prevent malicious linking/posting to webapps? Robert Collins (Sep 14)
- Re: How to prevent malicious linking/posting to webapps? Pluto (Sep 13)
- Message not available
- Re: How to prevent malicious linking/posting to webapps? Slawek (Sep 12)
- Re: All Advantage Spyware Russel Smith (Sep 12)
- Re: All Advantage Spyware Jonathan Rickman (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware Doug Kahler (Sep 12)