[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Fundamental error in Corsaire's paper?

From: "Armag" <armag666@xxxxxxxxxxxxx>
Subject: [WEB SECURITY] Fundamental error in Corsaire's paper?
Date: Tue, 25 Apr 2006 14:41:55 -0700

Hi websecurity

I read Corsaire's paper "Cookie Path Best Practice" by Martin O?Neal,
published 05 April 2004 as
http://www.corsaire.com/white-papers/040323-cookie-path-best-practice.pdf

This paper talks about a problem when a first app can read cookies of
the second app if this second app sets cookie path to /, and recommends:

3. The Solution
Fortunately the solution to this issue is a straightforward one. By
simply specifying the cookie path
argument accurately, an application can take measures to protect itself
from flawed products that
share the same hosting environment.


And then I read the "Path Insecurity" by Amit Klein, published 01 March
2006 as
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html

And this paper says:

Let us assume then that we only need to protect Bar's 
credentials, be they in cookies or in HTTP basic authentication. 
Of course, resorting to this means that we give up most of the 
security we can hope for, but still, for academic purposes (and 
for some practical purposes too) let's only focus on credentials 
security. Note that if Bar is careful enough with the way it 
assigns cookies, i.e. by setting the cookie path to /bar/, Bar 
can prevent Foo to access the cookies directly. The HTTP 
authentication credentials provided for /bar/ will not be 
transmitted automatically to pages outside the /bar/ folder.
...
Now, again an obvious attack is to read the cookies from 
H.document.cookie. If no such handle can be obtained, then it's 
still possible for http://www.some.site/foo/attack1.html to open 
a window to some page in /bar/, e.g. 
http://www.some.site/bar/page2.html, and now that a handle 
exists, to use it to read the cookies in /bar/ folder. If it is 
totally impossible to open a window, then perhaps the "voluntary" 
HTTP Response Splitting method described in [2] (p. 26) can be 
used.
...
Conclusions
===========

There is no such thing as path security. Two entities that share 
the same host cannot be defended from each other.

So does this mean that the Corsaire paper was proven to be fundamentally
wrong?

Respectfully,
Armag
-- 
  Armag
  armag666@xxxxxxxxxxxxx

-- 
http://www.fastmail.fm - Same, same, but different?


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
  - From: Prasad Shenoy

Prev by Date: [WEB SECURITY] Java SQL/LDAP Injections
Next by Date: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
Previous by thread: [WEB SECURITY] Java SQL/LDAP Injections
Next by thread: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site