WebApp Sec mailing list archives
Re: How to protect against cookie stealing?
From: Marc Slemko <marcs () znep com>
Date: Sun, 27 Jul 2003 09:32:22 -0700 (PDT)
Why are people going off on increasingly wild and completely impractical and horribly insecure tangents ("hey, lets just create an activex control that the user installs that uses their MAC address for security") without once mentioning the fact that the net impact of cross site scripting attacks (and related cross domain validation type bugs in browsers) is NOT just the ability to steal cookies, it is the ability to completely control the user's interaction with the site, if a client side scripting language such as javascript is enabled. The authentication token is not the holy grail: I don't need a user's cookie or SSL certificate or cereal box decoder ring if I can just tell their browser to jump through a given series of actions on a site and then send the results off via a HTTP request to some other site. Don't get me wrong, ensuring your authentication scheme is secure against a variety of attacks is good. But don't forget the bigger picture.
Current thread:
- How to protect against cookie stealing? Phil Cox (Jul 24)
- Re: How to protect against cookie stealing? Brant Langer Gurganus (Jul 24)
- Re: How to protect against cookie stealing? Bill Pennington (Jul 24)
- Re: How to protect against cookie stealing? Marc Slemko (Jul 27)
- <Possible follow-ups>
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 24)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- Re: How to protect against cookie stealing? Chris Green (Jul 26)
- Re: How to protect against cookie stealing? Erik Kangas, PhD (Jul 26)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 24)
- RE: How to protect against cookie stealing? Ingo Struck (Jul 24)
- RE: How to protect against cookie stealing? Gabriel Lawrence (Jul 27)
- Re: How to protect against cookie stealing? Mark Reardon (Jul 24)
- Re: How to protect against cookie stealing? Ken Anderson (Jul 24)
- RE: How to protect against cookie stealing? Dawes, Rogan (ZA - Johannesburg) (Jul 27)
- RE: How to protect against cookie stealing? .:[ Death Star]:. (Jul 27)