RE: [WEB SECURITY] Fundamental error in Corsaire's paper?

["Martin O'Neal" <martin.oneal () corsaire com>]

Hiya chap,

Firstly thanks for the credit; I was sure that no-one actually read
anything I wrote.  I'm touched. :p

You've covered off a pile of stuff there, but I'm just going to dip in,
pick out a couple of items and build an argument.

The concluding paragraph states, "There is no such thing as path
security. Two entities that share the same host cannot be defended from
each other".  

A simple counter example that shows this to be incorrect would be a
browser with all the mobile code support disabled and 'bar' with a
correctly specified path.  This would be, as far as I can see, immune to
all the example attacks from 'foo' contained in the paper.

However, even so, the situation described in the paper is at best
unlikely; if 'foo' and 'bar' share the same host, are hostile to one
another, and 'foo' can upload arbitrary server side code, then attacks
against the session are probably the least of your worries.  Server side
attacks are not covered in your paper, and are probably the easiest
mechanism of delivery in this scenario.  Even so, staying with session
attacks, if 'bar' doesn't correctly specify a path, then there is no
requirement for any form of client side attack at all; 'foo' just
harvests the cookies as presented by the browser.

In the more likely implementation scenario, where all the apps on a
domain do belong to the same owner (and hence are not hostile to one
another), then the path provides a mechanism whereby the cookie
footprint can be kept constrained.  For a third-party to successfully
attack the session requires a flaw in one of the applications as the
delivery mechanism.

Like I said, a correctly specified path isn't any form of universal
solution.  Conversely, I could be wrong, but I'm sure that you wouldn't
recommend not specifying the path at all?

Martin...


----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000  Email:info () corsaire com


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------