WebApp Sec mailing list archives
cookies a fundamental threat?
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Sat, 29 Apr 2006 20:06:09 -0400
On 4/29/06, Achim Hoffmann <kirke11 () securenet de> wrote:
Well, my post is a bit off-topic to the initial subject, but the question and my other question "sequence of cookies in a request" show again that cookies are a fundametal threat in todays web applications. I claim too "There is no path security". (cookie2 with encrypted values are a different story, however ...)
I just went and looked up your old note in the archives (http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html). I didn't see any responses there. One important thing about the order in which cookies are sent (that you didn't mention in your original note) is that they are sent with the most restrictive path first. For example, if there are two cookies with the same name, one with a path of /one, and the other with a path of /one/two, the /one/two cookie is sent before the /one cookie. I'm not entirely in agreement with your statement, "cookies are a fundamental threat in todays web applications." There is simply not a viable replacement for the functionality they provide. When misguided folks suggest that a web application not use cookies for securityreasons, web developers just turn around and use hidden form fields. Hidden form fields and cookies are exactly the same from a security
perspective. It's just one is more difficult to implement. If a developer is going to spend time worrying about cookies, I'd rather they worried about something useful like whether they are using a proper random number generator for their session IDs. I'm just not seeing the fundamental threat from cookies that you describe. Would you explain a little more fully what you mean? Regards, Brian ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- cookies a fundamental threat? Brian Eaton (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 02)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)? Pilon Mntry (Apr 30)