[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Fundamental error in Corsaire's paper?

From: "Prasad Shenoy" <prasad.shenoy@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
Date: Tue, 25 Apr 2006 19:37:13 -0400

Armag,
That is interesting. I did not read the entire paper but a quick
question to follow up with your question: Does same "hosting
environment" necessarily mean "same host" or "same origin" ?  If yes,
then I guess this issue needs to be thought over.


On 4/25/06, Armag <armag666@xxxxxxxxxxxxx> wrote:
> Hi websecurity
>
> I read Corsaire's paper "Cookie Path Best Practice" by Martin O'Neal,
> published 05 April 2004 as
> http://www.corsaire.com/white-papers/040323-cookie-path-best-practice.pdf
>
> This paper talks about a problem when a first app can read cookies of
> the second app if this second app sets cookie path to /, and recommends:
>
> 3. The Solution
> Fortunately the solution to this issue is a straightforward one. By
> simply specifying the cookie path
> argument accurately, an application can take measures to protect itself
> from flawed products that
> share the same hosting environment.
>
>
> And then I read the "Path Insecurity" by Amit Klein, published 01 March
> 2006 as
> http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html
>
> And this paper says:
>
> Let us assume then that we only need to protect Bar's
> credentials, be they in cookies or in HTTP basic authentication.
> Of course, resorting to this means that we give up most of the
> security we can hope for, but still, for academic purposes (and
> for some practical purposes too) let's only focus on credentials
> security. Note that if Bar is careful enough with the way it
> assigns cookies, i.e. by setting the cookie path to /bar/, Bar
> can prevent Foo to access the cookies directly. The HTTP
> authentication credentials provided for /bar/ will not be
> transmitted automatically to pages outside the /bar/ folder.
> ...
> Now, again an obvious attack is to read the cookies from
> H.document.cookie. If no such handle can be obtained, then it's
> still possible for http://www.some.site/foo/attack1.html to open
> a window to some page in /bar/, e.g.
> http://www.some.site/bar/page2.html, and now that a handle
> exists, to use it to read the cookies in /bar/ folder. If it is
> totally impossible to open a window, then perhaps the "voluntary"
> HTTP Response Splitting method described in [2] (p. 26) can be
> used.
> ...
> Conclusions
> ===========
>
> There is no such thing as path security. Two entities that share
> the same host cannot be defended from each other.
>
> So does this mean that the Corsaire paper was proven to be fundamentally
> wrong?
>
> Respectfully,
> Armag
> --
>  Armag
>  armag666@xxxxxxxxxxxxx
>
> --
> http://www.fastmail.fm - Same, same, but different…
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>


--
Prasad

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
  - From: Armag

References:
- [WEB SECURITY] Fundamental error in Corsaire's paper?
  - From: Armag

Prev by Date: [WEB SECURITY] Fundamental error in Corsaire's paper?
Next by Date: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
Previous by thread: [WEB SECURITY] Fundamental error in Corsaire's paper?
Next by thread: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site