WebApp Sec mailing list archives

Re: Cross Site Cooking

From: Erwan Legrand <elegrand () denyall com>
Date: Tue, 31 Jan 2006 17:12:57 +0100

john-secfocus () o-rourke org wrote:

It's probably better referring to the cookies RFC (ftp://ftp.rfc-editor.org/in-notes/rfc2965.txt) rather than a very 
old article (http://www.ciac.org/ciac/bulletins/i-034.shtml).
The RFC doesn't mention anything about numbers of dots and specific domains.

Well, actually the RFC specifies the domain must either match thehostname or begin with a dot and have at least an embeded dot or be".local". Anyway, in practice what matters is not the RFC but the actualbehaviour of the software used, i.e. MSIE or Mozilla/Firefox in most cases.

Although it's all definitely a security risk, there's no way all vendors would change the mechanism without keeping 
backwards compatibility, it would cause chaos.  So with my sites I always put a checksum in the cookie data, which allows the 
website to be certain no clients have altered the data manually.

The correct use of a MAC (which is more than just a checksum) willindeed make cookie tempering practically impossible. Unfortunately, itwill not block session fixation exploitations as explained at the end ofproblem #1 in Michal's original mail. It's an application logic problem.The only way to fix this is to make the session begin once the user isauthenticated, not before.



--
Erwan Legrand
Responsable Technique Produits
elegrand () denyall com

Tel : +33 (0)1 40 07 47 28
GSM : +33 (0)6 16 60 26 09
Fax : +33 (0)1 40 07 47 27
Deny All - 23, rue Notre-Dame des Victoires 75002 Paris - France
www.denyall.com

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web applicationsecurity testing suite, and the only solution to provide comprehensiveremediation tasks at every level of the application. See for yourself.Download AppScan 6.0 today.


https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------

Current thread:

Cross Site Cooking Michal Zalewski (Jan 28)
- <Possible follow-ups>
- RE: Cross Site Cooking Amit Klein (AKsecurity) (Jan 29)
  - RE: Cross Site Cooking Michal Zalewski (Jan 30)
  - Re: Cross Site Cooking Aman Raheja (Jan 31)
    - Re: Cross Site Cooking Michal Zalewski (Feb 02)
- Re: Cross Site Cooking john-secfocus (Jan 31)
  - Re: Cross Site Cooking Erwan Legrand (Jan 31)
  - Re: Cross Site Cooking Michal Zalewski (Jan 31)
- RE: Cross Site Cooking Evans, Arian (Jan 31)