Re: SSL VPNs and security



On 8 Jun 2006 at 22:48, Michal Zalewski wrote:

"Web VPN" or "SSL VPN" is a term used to denote methods for accessing
company's internal applications with a bare WWW browser, with the use of
browser-based SSO authentication and SSL tunneling. As opposed to IPSec,
no additional software or configuration is required, and hence, corporate
users can use pretty much any computer they can put their hands on.



- Application cookies set by other applications. If passed to the
browser (as some SSL VPNs do), these cookies are separated by the use
of "path" parameter alone, which does not necessarily establish a
browser security domain boundary. This is equivalent to the attacker
obtaining user credentials to these applications.


Yes, the path field (in Set-Cookie) doesn't buy you much, see a detailed discussion in
"Path Insecurity":
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html

-Amit



Relevant Pages

  • Re: Types of programming
    ... there" to "the market". ... Web-server applications, accessible from just about any Web ... browser, where NONE of the new software can be seen in source form ... Whereas shrink-wrap software ...
    (comp.programming)
  • Re: Delphi - desktop, Web, or USB?
    ... something has to run these web applications as well. ... browser, using Java to provide the programmatic stuff (or use some ... A Windows Media Player replacement? ... I have Open Office running off my USB drive. ...
    (borland.public.delphi.non-technical)
  • Re: Going Online with Access
    ... Do Access Data Pages allow the user to just use a browser? ... However keep in mind that a lot of consumers like web based applications because in fact they are by nature far more simpler and easier to use and more streamlined than their complicated desktop counterparts. ... One aspect of "access web services" (that's what the new web system is called for access 2010) is that as a general rule you will require a SharePoint server and this can be a fairly expensive option. ...
    (comp.databases.ms-access)
  • [Full-disclosure] Re: SSL VPNs and security
    ... browser-based SSO authentication and SSL tunneling. ... - Application cookies set by other applications. ... browser, these cookies are separated by the use ...
    (Full-Disclosure)
  • Re: Delphi - desktop, Web, or USB?
    ... applets, applications etc., downloaded from the internet, into a sandbox ... People have been declaring the death of the operating system since ... Look where netscape is now. ... of apps people want to run, such browser environments would have to be, ...
    (borland.public.delphi.non-technical)