Re: Passing data between frames

[Mark Reardon <riscorp () mindspring com>]

Being on the same server means you can use an opaque handle that translates to a file or database entry with the 
sensitive information. The real question is then how to pass the handle through the browser and ensure it isn't 
'forged'. 

I use large handles (512 bit or larger) and I encrypt them using a hash of the browser ID and high byte of the source 
IP address. I then place the handle in a cookie. I then add it to a table, and place the table index into a cookie. The 
table also has either the information being passed or a pointer to it.

When I pull the cookies, I recreate the key, decrypt the cookie thus getting the handle. If the index into the table 
shows a different handle value, I throw the whole thing away, remove the table entry, and log the attempt.

If it matches, then I know the only major vulnerability is the stealing of cookies. To narrow that window, table 
entries are timed (short) and only available once. If I need to do it multiple times (such as a session), I create a 
new handle and do it again. That makes it so the same cookie pair will cause a flush and alert.

Good luck,

Mark


-------Original Message-------
From: Chris Neil <Chris.Neil () abs-ltd com>
Sent: 03/28/03 05:33 AM
To: "'webappsec () securityfocus com'" <webappsec () securityfocus com>
Subject: Passing data between frames

>
What would people recommend as the best way to pass sensitive data between
frames? The frames are separate web sites hosted on the same machine.

(if it matters it's IIS)

Chris Neil
  Security Officer
  Chris.Neil () abs-ltd com
-------------------------------------------
ABS 
  <a target=_blank
href="http://www.abs-ltd.com/";>http://www.abs-ltd.com/</a>
  Tel:     +44 (0) 1993 771221
  Fax:    +44 (0) 1993 775081
-------------------------------------------

>

----
Mark Reardon
Reardon Information Security Corporation
156 Blue Sky Drive
Marietta, GA 30068
(770) 565-0544
(404) 444-0041 cell