OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gabriel Lawrence (gabebutterflysecurity.com)
Date: Wed Feb 06 2002 - 22:10:58 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Yeah so this is an interesting issue. My thinking on subverting web
    applications is that the primary point of entry is through the use of
    session cookies. IMHO its very dangerous to store any kind of real
    information in a cookie that could allow someone to change their
    authorization or authentication information, other then as a session
    cookie. Then the idea is to make changing that cookie so difficult that
    it doesn't represent a realistic attack strategy. So, in my thinking one
    could reduce a lot of different kinds of attacks down to subverting
    session cookies, with a broad definition of session cookie ;-) So what I
    define as a session cookie is anything that serves as a token for either
    authentication or authorization information.

    With that in mind, I've been thinking a lot about how to determine the
    goodness of a specific mechanism that depends on cookies. This
    determination can then be used to figure out if malicious users would
    want to attack by manipulating cookies. My goal is to figure out a way
    to do this programatically by experimenting with the communication that
    establishes the cookie to begin with. My general thought is to look at
    the variance between cookies generated over several sessions for a
    specific user. Finding any commonality between cookies issued across
    multiple sessions represents a point at which manipulating cookies can
    be used to subvert an application. In addition, one would like to be
    able to compare cookies granted to different users who have the same set
    of permissions within an application. Additional commonalities here
    could expose areas where users capabilities are stored in the cookie.
    Then finally one would want to look at users with different permissions
    in the system and see if the commonalities identified in earlier tests
    change based on capability.

    Anyone have some other ideas?

    -gabe

    On Wed, 2002-02-06 at 11:03, The Owasp Project wrote:
    > Actually was referring to how do you test to see if
    > you can subvert an application by manipulating
    > cookies ?
    >
    > Great design ideas though ;-)