WebApp Sec mailing list archives
Re: Cross Site Cooking
From: john-secfocus () o-rourke org
Date: 31 Jan 2006 08:59:17 -0000
It's probably better referring to the cookies RFC (ftp://ftp.rfc-editor.org/in-notes/rfc2965.txt) rather than a very old article (http://www.ciac.org/ciac/bulletins/i-034.shtml). The RFC doesn't mention anything about numbers of dots and specific domains. Although it's all definitely a security risk, there's no way all vendors would change the mechanism without keeping backwards compatibility, it would cause chaos. So with my sites I always put a checksum in the cookie data, which allows the website to be certain no clients have altered the data manually. ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- Cross Site Cooking Michal Zalewski (Jan 28)
- <Possible follow-ups>
- RE: Cross Site Cooking Amit Klein (AKsecurity) (Jan 29)
- RE: Cross Site Cooking Michal Zalewski (Jan 30)
- Re: Cross Site Cooking Aman Raheja (Jan 31)
- Re: Cross Site Cooking Michal Zalewski (Feb 02)
- Re: Cross Site Cooking john-secfocus (Jan 31)
- Re: Cross Site Cooking Erwan Legrand (Jan 31)
- Re: Cross Site Cooking Michal Zalewski (Jan 31)
- RE: Cross Site Cooking Evans, Arian (Jan 31)