WebApp Sec mailing list archives
Re: [WEB SECURITY] cookies a fundamental threat?
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Mon, 1 May 2006 22:42:58 -0400
Hi Achim - On 4/30/06, Achim Hoffmann <kirke11 () securenet de> wrote:
In contary hidden fields can only be attacked within the application itself, more specific in the page they are used. Session riding is impossible, session fixation very hard, just session hijacking remains but is not simple too (I'm talking about automated attacks, not shoulder surfing).
I think this is where one of us is confused. =) Amit's note on "Path Insecurity" described how to execute javascript in the context of another document on the same server. Is "Path Insecurity" somehow limited to XSS attacks on cookies? I don't believe so; I suspect the same techniques AK used in that paper to steal cookies that were accessible to other documents apply equally well to reading hidden form fields in those documents. I may be missing something from Amit's paper, though. Please fill me in if I am wrong. Assuming I did understand Amit's paper properly, nearly all of the attack techniques you listed in your note apply equally to hidden form fields and cookies. There are some practical differences. For example: - Session fixation is easier with form fields than with cookies. If form fields are used for sessions, a session fixation attack can be performed from any web server. If cookies are used, it can only be done from another web server in the same DNS domain. Assuming the application developer does the right thing and changes the session cookie after authentication, session fixation is not possible in either case. - It is easier to steal a domain cookie than to steal a hidden form field. To steal a domain cookie, you just need a vulnerable server in the same domain. Stealing a form field requires a vulnerable page on the server hosting the form. The one distinct advantage cookies have over form fields is IE's HttpOnly cookie extension. HttpOnly doesn't make attacks impossible, but it certainly does raise the bar a bit. Regards, Brian ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- cookies a fundamental threat? Brian Eaton (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 02)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
- Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)? Pilon Mntry (Apr 30)