WebApp Sec mailing list archives
RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Thu, 27 Apr 2006 11:44:40 +0100
Hiya chap, Firstly thanks for the credit; I was sure that no-one actually read anything I wrote. I'm touched. :p You've covered off a pile of stuff there, but I'm just going to dip in, pick out a couple of items and build an argument. The concluding paragraph states, "There is no such thing as path security. Two entities that share the same host cannot be defended from each other". A simple counter example that shows this to be incorrect would be a browser with all the mobile code support disabled and 'bar' with a correctly specified path. This would be, as far as I can see, immune to all the example attacks from 'foo' contained in the paper. However, even so, the situation described in the paper is at best unlikely; if 'foo' and 'bar' share the same host, are hostile to one another, and 'foo' can upload arbitrary server side code, then attacks against the session are probably the least of your worries. Server side attacks are not covered in your paper, and are probably the easiest mechanism of delivery in this scenario. Even so, staying with session attacks, if 'bar' doesn't correctly specify a path, then there is no requirement for any form of client side attack at all; 'foo' just harvests the cookies as presented by the browser. In the more likely implementation scenario, where all the apps on a domain do belong to the same owner (and hence are not hostile to one another), then the path provides a mechanism whereby the cookie footprint can be kept constrained. For a third-party to successfully attack the session requires a flaw in one of the applications as the delivery mechanism. Like I said, a correctly specified path isn't any form of universal solution. Conversely, I could be wrong, but I'm sure that you wouldn't recommend not specifying the path at all? Martin... ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info () corsaire com ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 26)
- <Possible follow-ups>
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Dan Kuykendall (Apr 27)
- WebScarab Fuzzer Jason Murray (Jun 09)
- Re: WebScarab Fuzzer Vlad (Jun 11)
- Re: WebScarab Fuzzer Rogan Dawes (Jun 11)
- WebScarab Fuzzer Jason Murray (Jun 09)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 27)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Dan Kuykendall (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 28)
(Thread continues...)