|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: cache cookies?
From: Thomas Reinke (reinke
E-SOFTINC.COM)Date: Mon Dec 18 2000 - 17:03:30 CST
- Next message: Larry W. Cashdollar: "More Sonata Conferencing software vulnerabilities."
- Previous message: Ryan Russell: "Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability)"
- In reply to: Nick Lamb: "Re: cache cookies?"
- Next in thread: Kee Hinckley: "Re: cache cookies?"
- Reply: Thomas Reinke: "Re: cache cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Nick Lamb wrote:
>
> On Thu, Dec 14, 2000 at 02:06:48AM -0500, Thomas Reinke wrote:
> > Actually, it *does* work. We have on our site a
> > working demonstration of the exploit, showing whether or not
> > you've visited one or more of more than 80 different well known
> > sites. The URL is
> >
> > http://www.securityspace.com/exploit/exploit_2a.html
>
> Not very impressive. Mozilla M18 showed very poor results, spotting
> only one of the sites I had visited (out of a dozen or so), and
> on subsequent loads after visiting more sites it reported "Cache hit"
> for everything. Tests with other sites, with a fresh browser config,
> on different systems, revealed that test results stayed low, sometimes
> zero effectiveness, usually less than 50%.
I agree the example isn't all the impressive. Mind you, we had
excellent results, but on a very specific set of configurations
(I.E. 5, Netscape 4.7, Win NT with latest SP, all on high speed
cable). The demo IS weak. It says it is. There are much better
mechanisms. That wasn't the point of the demo - the point was
to demonstrate the capability.
>
> Where would you store this flag? In a Cookie?
The paper describes how you could store this in a web page. In
fact, what they call "cache cookies" are in fact web pages that
contain knowledge that the server sends to the user.
Ed, Mike (authors of the paper...) if you're reading this,
perhaps it would be better if you put up your examples. #1,
I think we can all presume you spent much more time at this
than the 5 hours I spent hacking a demo and a writeup
together, and your examples should as such be functioning
much better...
Thomas
-- ------------------------------------------------------------ Thomas Reinke Tel: (905) 331-2260 Director of Technology Fax: (905) 331-2504 E-Soft Inc. http://www.e-softinc.com Publishers of SecuritySpace http://www.securityspace.com
- Next message: Larry W. Cashdollar: "More Sonata Conferencing software vulnerabilities."
- Previous message: Ryan Russell: "Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability)"
- In reply to: Nick Lamb: "Re: cache cookies?"
- Next in thread: Kee Hinckley: "Re: cache cookies?"
- Reply: Thomas Reinke: "Re: cache cookies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]