Vulnerability Development mailing list archives
Re: CSS, CSS & let me give you some more CSS
From: Blake Frantz <blake () mc net>
Date: Fri, 1 Feb 2002 22:52:54 -0600 (CST)
Aside from cookie stealing, CSS vulnerabilities also open the door for Malware such as GodsWill/GodsMessage (http://godwill.cjb.net/) Food for though. -Blake On Fri, 1 Feb 2002, E M wrote:
I think we are getting away from the original topic, CSS and how it effects you. Basically the general agreement is that cookie stealing via embedded code is the most dangerous use for CSS and the most common. This brings me to the point that cookie based authentication is unsafe inherently and as far as I can tell not something that security minded developers would even consider. So the jist is that CSS is mainly used to exploit older web app's that use cookie based authentication (Prime example older versions of Yet another Bulletin Board (Yabb). Not to say it can't be used for other things, just that from what I'm seeing... its not. Eric McCartyFrom: "Bill Pennington" <billp () boarder org> To: "Securityfocus-Vulndev" <vuln-dev () securityfocus com> Subject: Re: CSS, CSS & let me give you some more CSS Date: Fri, 1 Feb 2002 08:38:35 -0800 For any commercial site it is almost impossible to use any portion of the address for "authentication" or non-repudiation. The main reason is AOL. The last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used proxy "pods" for their netblocks. I would watch users hop from IP to IP and sometime across entire subnets during a session. Now you could code your app to break for AOL users but if you are a commercial entity that could present a few problems. The best use to IP address authentication is in a LAN environment where users are far less likely to go address hoping. ----- Original Message ----- From: <info () elitesoft org> To: "Obscure" <obscure () eyeonsecurity net> Cc: "Joe Harrison" <list-general () ntlworld com>; "Securityfocus-Vulndev" <vuln-dev () securityfocus com> Sent: Friday, February 01, 2002 8:08 AM Subject: RE: CSS, CSS & let me give you some more CSSIf you use IP address for session cookie attacker can't use stolen cookie. However, you can't use IP address when BGP or Proxy are used. In this case the best protection is to change session cookie for each transaction using transaction counter. This will provide a transaction non-repudiation. If such session cookie is stolen and used by a hacker prior to a user, then user session will be blown away. Mike_________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
Current thread:
- RE: CSS, CSS & let me give you some more CSS, (continued)
- RE: CSS, CSS & let me give you some more CSS info (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Bill Pennington (Feb 01)
- Re: CSS, CSS & let me give you some more CSS E M (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Sverre H. Huseby (Feb 01)
- New thoughts on CSS Brett Moore (Feb 01)
- RE: New thoughts on CSS Matt Dickinson (Feb 01)
- RE: New thoughts on CSS jon schatz (Feb 01)
- Re: New thoughts on CSS Blue Boar (Feb 01)
- Re: New thoughts on CSS Jonas M Luster (Feb 03)
- RE: New thoughts on CSS other (Feb 02)
- Re: CSS, CSS & let me give you some more CSS Blake Frantz (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Andre Mariƫn (Feb 04)
- RE: CSS, CSS & let me give you some more CSS info (Feb 01)
- RE: CSS, CSS & let me give you some more CSS Brian McWilliams (Feb 01)
- RE: CSS, CSS & let me give you some more CSS Marc Slemko (Feb 01)
- RE: CSS, CSS & let me give you some more CSS - phinegeek - (Feb 02)