![webappsec logo](/images/webappsec-logo.png)
WebApp Sec mailing list archives
RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Fri, 28 Apr 2006 22:12:38 +0200
On 28 Apr 2006 at 11:58, Armag wrote:
What is the final verdict, the original topic of this thread? The Corsaire article - is there a fundamental error in the recommendation part of it?
Well, if you ask me, then yes, there is a problem in the Corsaire paper, since it doesn't mention that in almost all of the cases, the cookie path is useless for improving security. The only case wherein this recommendation actually adds security is the very rare situation of a JS-turned-off (indeed...) non-MSIE browser going to a non-IIS (or more likely non-Windows) website, and even that is not guaranteed (who knows what other tricks work for the various servers out there). So up to this negligible situation, I hold to my original claim - "There is no such thing as path security". -Amit PS - which isn't to say I'm against using cookie path. Go ahead, use it - it will probably save you from cookie namespace collisions. But don't think you buy any security this way (well, up to the aforementioned bizarre scenario, that is...) ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- Re: WebScarab Fuzzer, (continued)
- Re: WebScarab Fuzzer Rogan Dawes (Jun 11)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 27)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Dan Kuykendall (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 28)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Brian Eaton (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Armag (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 28)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Achim Hoffmann (Apr 30)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Armag (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 29)