WebApp Sec mailing list archives
Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)?
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Sun, 30 Apr 2006 23:40:21 -0700 (PDT)
If I steal your cookies via the forums (assuming PATH is / and they are both on X.com), I have your bank account. Naturally, it doesn't work that way - just an example.
You don't even have to assume that. Even if they (forum and bank applications) use different Paths and on different domains, you can still have the account. :) I'd like to add one more thing, which may seem a little off-topic: As G.McGraw points in his book, I think we may use "risk" instead of "threat" in this case... Such as, "cookies a fundamental risk?" good discussion on cookies, xss, paths! while it may seem old to big guys, it definetely increases awareness. -pilon --- chris m <r0xes.ratm () gmail com> wrote:
Cookies are not a threat to 'todays web applications'. It is how they are implemented, and what the function of what they are implemented by is (e.g. online banking), and what it has (e.g. forums). If I steal your cookies via the forums (assuming PATH is / and they are both on X.com), I have your bank account. Naturally, it doesn't work that way - just an example. You must properly sanatise input, that's all. Cookies are in no way insecure. On 4/29/06, Brian Eaton <eaton.lists () gmail com> wrote:On 4/29/06, Achim Hoffmann <kirke11 () securenet de>wrote:Well, my post is a bit off-topic to the initialsubject, but the questionand my other question "sequence of cookies in arequest" show again thatcookies are a fundametal threat in todays webapplications.I claim too "There is no path security". (cookie2 with encrypted values are a differentstory, however ...)I just went and looked up your old note in thearchives
(http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html).
I didn't see any responses there. One importantthing about theorder in which cookies are sent (that you didn'tmention in youroriginal note) is that they are sent with the mostrestrictive pathfirst. For example, if there are two cookies withthe same name, onewith a path of /one, and the other with a path of/one/two, the/one/two cookie is sent before the /one cookie. I'm not entirely in agreement with your statement,"cookies are afundamental threat in todays web applications."There is simply not aviable replacement for the functionality theyprovide. When misguidedfolks suggest that a web application not usecookies for securityreasons, web developers just turn around and usehidden form fields.Hidden form fields and cookies are exactly thesame from a securityperspective. It's just one is more difficult toimplement.If a developer is going to spend time worryingabout cookies, I'drather they worried about something useful likewhether they are usinga proper random number generator for their sessionIDs.I'm just not seeing the fundamental threat fromcookies that youdescribe. Would you explain a little more fullywhat you mean?Regards, Brian
-------------------------------------------------------------------------
Sponsored by: Watchfire Watchfire's AppScan is the industry's first andleading web applicationsecurity testing suite, and the only solution toprovide comprehensiveremediation tasks at every level of theapplication. Change the way youthink about application security testing - See foryourself.Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
---------------------------------------------------------------------
The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- cookies a fundamental threat? Brian Eaton (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 02)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)? Pilon Mntry (Apr 30)