Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Gabriel Lawrence (gabebutterflysecurity.com)
Date: Wed Feb 06 2002 - 22:10:58 CST
Yeah so this is an interesting issue. My thinking on subverting web
applications is that the primary point of entry is through the use of
session cookies. IMHO its very dangerous to store any kind of real
information in a cookie that could allow someone to change their
authorization or authentication information, other then as a session
cookie. Then the idea is to make changing that cookie so difficult that
it doesn't represent a realistic attack strategy. So, in my thinking one
could reduce a lot of different kinds of attacks down to subverting
session cookies, with a broad definition of session cookie ;-) So what I
define as a session cookie is anything that serves as a token for either
authentication or authorization information.
With that in mind, I've been thinking a lot about how to determine the
goodness of a specific mechanism that depends on cookies. This
determination can then be used to figure out if malicious users would
want to attack by manipulating cookies. My goal is to figure out a way
to do this programatically by experimenting with the communication that
establishes the cookie to begin with. My general thought is to look at
the variance between cookies generated over several sessions for a
specific user. Finding any commonality between cookies issued across
multiple sessions represents a point at which manipulating cookies can
be used to subvert an application. In addition, one would like to be
able to compare cookies granted to different users who have the same set
of permissions within an application. Additional commonalities here
could expose areas where users capabilities are stored in the cookie.
Then finally one would want to look at users with different permissions
in the system and see if the commonalities identified in earlier tests
change based on capability.
Anyone have some other ideas?
On Wed, 2002-02-06 at 11:03, The Owasp Project wrote:
> Actually was referring to how do you test to see if
> you can subvert an application by manipulating
> cookies ?
> Great design ideas though ;-)