Slashdot Mirror
Cross Site Cooking
Liudvikas Bukys writes "Michal Zalewski identifies a new class of attacks on users of web applications, dubbed Cross Site Cooking.
Various browsers' implementations of restrictions on where cookies come from and where they're sent are weaker than you think. Web applications that depend on the browser enforcing much will offer many opportunities for mischief."
Web applications that depend on the browser enforcing much will offer many opportunities for mischief.
That is true regardless of what the exact nature of the issue is. Never trust user provided input.
Expecting, not just a specific third-party program but, an entire class of programs to maintain your data integrity & overall security is sheer laziness or plain incomptence.
Alternatively, only drop a session tracking ID by cookie then maintain session expiry data on the server. With this it's possible to also do things like hostmask matching, so if the hostmask of the machine sending the session doesn't match one on the database, the password can be asked for again as verification.
How many people can read hex if only you and dead people can read hex?
Yeah, that one surprised me as well, and he made it seem like modern browsers where still affected, but a simple PHP script:
<?
SetCookie("Test","Value",0,"/",".com.");
print_r($_COOKIE);
?>
Did not work in Firefox or IE6 for me, so those browsers at least, seem safe from this.
Morphing Software
with MSN network, we (large corp) banned all of their MSN domains as this is a security risk and as its intentionally deceptive on their part we had to classify it as malicious due to the intent
here (with analysis)
news report here
of course MS still use it and the surfers still have no idea its occuring, though if you block their servers you soon find out how many times they try.
never mind trusting the user, its the server and the company that does it that people cant trust