Re: Cross Site Cooking

[Michal Zalewski <lcamtuf () dione ids pl>]

On Tue, 31 Jan 2006 john-secfocus () o-rourke org wrote:

> Although it's all definitely a security risk, there's no way all vendors
> would change the mechanism without keeping backwards compatibility, it
> would cause chaos.  So with my sites I always put a checksum in the
> cookie data, which allows the website to be certain no clients have
> altered the data manually.

Yup, but this still poses a certain problem with session cookies. The
scenario is that the attacker acquires a session ID from the server, keeps
it alive by prodding the server once in a while, then plants this ID on
client's machine. Should the victim authenticate with the server within
that session ID, his account might become compromised.

Cryptographic protection against replay attacks is of no use, because
session cookies must be replayable. The only half-solution is to associate
session ID with a certain IP range - but that still means that, for
example, any AOL subscriber can attack any other AOL subscriber.

Cheers,
/mz

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------