Ulf Harnhammar wrote:
> we can redirect to a site while setting a cookie by giving $url the value
> "http://www.kuro5hin.org/\015\012Set-Cookie: evil=natas". If the cookie
> contains important data and one user can save URL's that another user will be
> redirected to, this can be serious.

While doing a pentest for a major banking website, I showed them how an attacker
could use this technique to set a permanent cookie to an invalid value,
resulting in a permanant DOS against every user that encountered the attack.

They finally understood what I was saying when I locked up a manager's browser
and he couldn't get into his own site until I deleted his bad cookie. But they
still felt it would be too much work to fix it.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]