OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Blake Frantz (blakemc.net)
Date: Fri Feb 01 2002 - 22:52:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Aside from cookie stealing, CSS vulnerabilities also open the door for
    Malware such as GodsWill/GodsMessage (http://godwill.cjb.net/)

    Food for though.

    -Blake

    On Fri, 1 Feb 2002, E M wrote:

    > I think we are getting away from the original topic, CSS and how it effects
    > you.
    >
    > Basically the general agreement is that cookie stealing via embedded code is
    > the most dangerous use for CSS and the most common.
    >
    > This brings me to the point that cookie based authentication is unsafe
    > inherently and as far as I can tell not something that security minded
    > developers would even consider.
    >
    > So the jist is that CSS is mainly used to exploit older web app's that use
    > cookie based authentication (Prime example older versions of Yet another
    > Bulletin Board (Yabb). Not to say it can't be used for other things, just
    > that from what I'm seeing... its not.
    >
    > Eric McCarty
    >
    >
    >
    > >From: "Bill Pennington" <billpboarder.org>
    > >To: "Securityfocus-Vulndev" <vuln-devsecurityfocus.com>
    > >Subject: Re: CSS, CSS & let me give you some more CSS
    > >Date: Fri, 1 Feb 2002 08:38:35 -0800
    > >
    > >For any commercial site it is almost impossible to use any portion of the
    > >address for "authentication" or non-repudiation. The main reason is AOL.
    > >The
    > >last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used
    > >proxy "pods" for their netblocks. I would watch users hop from IP to IP and
    > >sometime across entire subnets during a session. Now you could code your
    > >app
    > >to break for AOL users but if you are a commercial entity that could
    > >present
    > >a few problems.
    > >
    > >The best use to IP address authentication is in a LAN environment where
    > >users are far less likely to go address hoping.
    > >
    > >
    > >----- Original Message -----
    > >From: <infoelitesoft.org>
    > >To: "Obscure" <obscureeyeonsecurity.net>
    > >Cc: "Joe Harrison" <list-generalntlworld.com>; "Securityfocus-Vulndev"
    > ><vuln-devsecurityfocus.com>
    > >Sent: Friday, February 01, 2002 8:08 AM
    > >Subject: RE: CSS, CSS & let me give you some more CSS
    > >
    > >
    > > > If you use IP address for session cookie attacker can't use
    > > > stolen cookie.
    > > > However, you can't use IP address when BGP or Proxy are used.
    > > > In this case the best protection is to change session cookie
    > > > for each transaction using transaction counter.
    > > > This will provide a transaction non-repudiation.
    > > > If such session cookie is stolen and used by a hacker prior
    > > > to a user, then user session will be blown away.
    > > >
    > > > Mike
    > > >
    > >
    > >
    >
    >
    > _________________________________________________________________
    > MSN Photos is the easiest way to share and print your photos:
    > http://photos.msn.com/support/worldwide.aspx
    >
    >