WebApp Sec mailing list archives
Re: [WEB SECURITY] cookies a fundamental threat?
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Wed, 10 May 2006 09:34:59 -0400
Hi Arian - On 5/9/06, Evans, Arian <Arian.Evans () fishnetsecurity com> wrote:
What are we, close to a decade now on this thread?
At least. =)
Per your examples below, there are a lot of different ways to use tokens (contextual) and different ways to implement tokens and /one possible way/ is a cookie, which has pros and cons, just like all the other options, but has the HUGE con of being automagically supplied by the browser...*not* even upon demand, not requiring some challenge-response scenario, but will be supplied by the browser with even the simplest tickle to make a request. This is called CSRF, or the catchier but possibly misleading "securenet session riding"! ;)
Good point. If you use hidden form fields or random elements in the URL for sessions, you get CSRF protection for free. If you are using cookies, you need to take extra steps to block CSRF attacks.
My mates and I released a proxy at BH Amsterdam that did all this for you automatically. 256 bit AES, stored flags for various bits in the HTTP resp, removed and stored things like cookies for you (which is how it worked transparently), and could be 1) URL param, 2) URI resource, 3) replace URI (most secure...and fun, 4) legacy URL/param support.
Would you be willing to summarize what kind of attacks your proxy can prevent, and what kind it cannot? Or perhaps point us to a more detailed description of what it does? Regards, Brian ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h --------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- <Possible follow-ups>
- RE: [WEB SECURITY] cookies a fundamental threat? Tom Stripling (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- RE: [WEB SECURITY] cookies a fundamental threat? Martin O'Neal (May 03)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- RE: [WEB SECURITY] cookies a fundamental threat? Martin O'Neal (May 03)
- RE: [WEB SECURITY] cookies a fundamental threat? Tom Stripling (May 03)
- RE: [WEB SECURITY] cookies a fundamental threat? Evans, Arian (May 09)
- Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 10)
- RE: [WEB SECURITY] cookies a fundamental threat? Evans, Arian (May 10)