Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross Site Cooking

Posted by Hemos on from the boning-up-on-the-bad-stuff dept.

Liudvikas Bukys writes "Michal Zalewski identifies a new class of attacks on users of web applications, dubbed Cross Site Cooking. Various browsers' implementations of restrictions on where cookies come from and where they're sent are weaker than you think. Web applications that depend on the browser enforcing much will offer many opportunities for mischief."

4 of 125 comments (clear)

  1. Web developers by mhanoh · · Score: 5, Insightful

    Any web developer worth their salt would be able to tell you nothing, and i mean nothing, sent or received over http should be regarded as secure.

    Of course cookies can be modified by a proxy. Of course sessions can be hijacked!

    1. Re:Web developers by dasil003 · · Score: 5, Insightful

      Any web developer worth their salt would be able to tell you nothing, and i mean nothing, sent or received over http should be regarded as secure.
       
      Of course cookies can be modified by a proxy. Of course sessions can be hijacked!

      Right, but hijacking a session should require at least a man-in-the-middle attack. Allowing anyone to arbitrarily grab cookies from a visitor is a pretty big gaping hole. Obviously anything requiring serious security needs SSL and/or other cryptographic measures, but for the huge number of casual websites that only need basic authentication this really throws a wrench in the works, unless you want to ask the user for their password every single time they load a page.

  2. No site should trust client-side information. by bigtallmofo · · Score: 5, Insightful

    A basic rule of web design is that information submitted from forms and cookies stored on a client computer should at the very least be validated before processing.

    Otherwise, insecure browsers like TFA mentions are only one of your worries. What's to stop someone from modifying a cookie file with a hex editor? What's to stop someone from saving a local copy of your form and modifying it and submitting the modified form to your form processor?

    --
    I'm a big tall mofo.
  3. Re:Not THAT nasty by iabervon · · Score: 3, Insightful

    Maybe I give you a session where your shipping address is my house. You buy some stuff from the site, don't pay much attention, and have it shipped to me. Or I give tons of people shopping carts containing something I sell through Amazon. Some of the people don't pay attention and accidentally include my item in their next purchase. Or I create a session with a site but don't log in, and I give it to them. They use it, find they aren't logged in, log in, and I'm also logged in as them (since I'm using the same session).