Re: Cookies

[Modify <modify () ATTRITION ORG>]

I have been playing around with a few sites that use cookies to save
information on a client machine.. More specifically, a site that saves
your zipcode so it can later be displayed when returned to do another
search.  The cookie reads as follows.

zipcode21045somewhere.com/0427410342429433681205584222429360256*

I later changed the zipcode "field" to 21046 just to see if it would
accept the cookie eventhough I had changed the contents.

zipcode21046somewhere.com/0427410342429433681205584222429360256*

Low and behold the server accepted my changes and allowed the display of
the new zipcode.

So, I proceeded to add 200+ characters to the zipcode field and reloaded
the page (cleared cache also).  The zipcode field displayed nothing so I
looked at the cookie itself to see what changes the server had made to the
file.

UniqueCountID%253D20e3a2%253Ae0d5a1a3b3%253A-800020e3a2%253Ae0d5a1a3b3%253A-769bsomewhere.com/carsapp0275700608031563020189661222429360256*

It seems the server checked to see if the client exceeds the buffer of 5
and if so, it resets the cookie to a null value.

After I entered the large data in the zipcode field I entered 6 characters
and the server did the same thing.. only thing different was that this
time the cookie was nowhere to be found on the client.  Im unsure as to
what the hash is doing exactly to keep this information sanitized.  If I
can change the values to whatever the heck I like.  Unless this is a
misconfiguration.  If anybody has any information on what happens on
server side... maybe email me with some notes off-list (or on).

I have also noticed that some servers will give away web server
information in a cookie.

Karl

On Wed, 9 Aug 2000, Slawek wrote:

> Tuesday, August 08, 2000 11:28 PM +0200, Denis Ducamp wrote:
> > On Tue, Aug 08, 2000 at 02:23:17PM -0400, Kev wrote:
> > > In one Web-accessible application I wrote, I did indeed put the
> authentication
> > > information in a cookie, but I also put an MD5 hash of the contents of
> the
> > > cookie appended to a secret that I placed in a configuration file, to
> prevent
> > > this very security problem.  I'm curious, though, if anyone can point out
> > > any problems with this approach?
> >
> > Do you verify that :
> > <snip>
> > . a cookie generated for an IP A can't be used by an IP B ?
> >   Difficulty : if the user is behind a proxy that doesn't give the client
> IP
> >   then another client behind that proxy may use that cookie.
> >   Other data as client software and version may be part of verified data.
>
>
> oops,
>
> afair some large ip-masquerading systems does use multiple IPs for
> masquerading. It may lead to requests from one user coming from more than
> one IP.
>
> some http proxies may use similar technique.
>
>
> just my $.02,
> Slawek