Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to prevent malicious linking/posting to webapps?

From: Robert Collins <robert.collins () ITDOMAIN COM AU>
Date: Thu, 14 Sep 2000 22:48:36 +1100
<..>

I am also assuming that cookies could be stolen by the attacker through
stuff like javascript (ick!). However the attacker cannot directly use
these cookies if we tie the session-ids to the legitimate user's source IP
(risking problems for some legit users). Thus it's more likely for the
stolen cookie info to be used to launch a less direct attack - like
malicious links/redirects.



Using the client IP for any http or otherwise (officially) proxiable
protocol, will break many corporate /private LAN configurations.

Many proxies mask the IP of the client behind them, and in a load balanced
situation the various requests may well come from a different proxy for each
request.
Also in Http1.1 the proxy-server connection is explicitly disjointed from
the client-proxy connection, meaning that you may well have a single http
connection, that handles requests for 3 or 4 different users.

I agree with the concept of one-time cookies but your nonce must not be tied
to any transport layer information - http doesn't guarantee that to stay
consistent at all.

Perhaps Digest Authentication (RFC 2617) could provide some inspiration? Or
you could even use digest authentication, and pass the session id as the
nonce for the client to hash?

Rob
Previous By Date Next
Previous By Thread Next

Current thread: