WebApp Sec mailing list archives

Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)?

From: Pilon Mntry <pilonmntry () yahoo com>
Date: Sun, 30 Apr 2006 23:40:21 -0700 (PDT)

If I steal your cookies
via the forums (assuming PATH is / and they are both
on X.com), I have
your bank account. Naturally, it doesn't work that
way - just an
example.


You don't even have to assume that. Even if they
(forum and bank applications) use different Paths and
on different domains, you can still have the account.
:)

I'd like to add one more thing, which may seem a
little off-topic:
As G.McGraw points in his book, I think we may use
"risk" instead of "threat" in this case... 
Such as, "cookies a fundamental risk?" 

good discussion on cookies, xss, paths! while it may
seem old to big guys, it definetely increases
awareness.

-pilon


--- chris m <r0xes.ratm () gmail com> wrote:

Cookies are not a threat to 'todays web
applications'.

It is how they are implemented, and what the
function of what they are
implemented by is (e.g. online banking), and what it
has (e.g.
forums).

If I steal your cookies
via the forums (assuming PATH is / and they are both
on X.com), I have
your bank account. Naturally, it doesn't work that
way - just an
example.

You must properly sanatise input, that's all.
Cookies are in no way insecure.

On 4/29/06, Brian Eaton <eaton.lists () gmail com>
wrote:

On 4/29/06, Achim Hoffmann <kirke11 () securenet de>

wrote:

Well, my post is a bit off-topic to the initial

subject, but the question

and my other question "sequence of cookies in a

request" show again that

cookies are a fundametal threat in todays web

applications.

I claim too "There is no path security".
(cookie2 with encrypted values are a different

story, however ...)


I just went and looked up your old note in the

archives

(http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html).

 I didn't see any responses there.  One important

thing about the

order in which cookies are sent (that you didn't

mention in your

original note) is that they are sent with the most

restrictive path

first.  For example, if there are two cookies with

the same name, one

with a path of /one, and the other with a path of

/one/two, the

/one/two cookie is sent before the /one cookie.

I'm not entirely in agreement with your statement,

"cookies are a

fundamental threat in todays web applications."

There is simply not a

viable replacement for the functionality they

provide.  When misguided

folks suggest that a web application not use

cookies for security

reasons, web developers just turn around and use

hidden form fields.

Hidden form fields and cookies are exactly the

same from a security

perspective.  It's just one is more difficult to

implement.


If a developer is going to spend time worrying

about cookies, I'd

rather they worried about something useful like

whether they are using

a proper random number generator for their session

IDs.


I'm just not seeing the fundamental threat from

cookies that you

describe.  Would you explain a little more fully

what you mean?


Regards,
Brian

-------------------------------------------------------------------------

Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and

leading web application

security testing suite, and the only solution to

provide comprehensive

remediation tasks at every level of the

application. Change the way you

think about application security testing - See for

yourself.

Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF

--------------------------------------------------------------------------

---------------------------------------------------------------------

The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

Current thread:

cookies a fundamental threat? Brian Eaton (Apr 30)
- Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (Apr 30)
  - Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 01)
    - Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 02)
    - Re: [WEB SECURITY] cookies a fundamental threat? Brian Eaton (May 03)
    - Re: [WEB SECURITY] cookies a fundamental threat? Achim Hoffmann (May 03)
- Re: cookies a fundamental threat? chris m (Apr 30)
  - Re: [WEB SECURITY] Re: cookies a fundamental threat (or risk)? Pilon Mntry (Apr 30)