Re: CSS, CSS & let me give you some more CSS
From: Blake Frantz (blake@mc.net)Date: 02/02/02
- Previous message: Blue Boar: "Re: New thoughts on CSS"
- In reply to: E M: "Re: CSS, CSS & let me give you some more CSS"
- Next in thread: Andre Mariën: "Re: CSS, CSS & let me give you some more CSS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Feb 2002 22:52:54 -0600 (CST) From: Blake Frantz <blake@mc.net> To: E M <rdnktrk@hotmail.com>
Aside from cookie stealing, CSS vulnerabilities also open the door for
Malware such as GodsWill/GodsMessage (http://godwill.cjb.net/)
Food for though.
-Blake
On Fri, 1 Feb 2002, E M wrote:
> I think we are getting away from the original topic, CSS and how it effects
> you.
>
> Basically the general agreement is that cookie stealing via embedded code is
> the most dangerous use for CSS and the most common.
>
> This brings me to the point that cookie based authentication is unsafe
> inherently and as far as I can tell not something that security minded
> developers would even consider.
>
> So the jist is that CSS is mainly used to exploit older web app's that use
> cookie based authentication (Prime example older versions of Yet another
> Bulletin Board (Yabb). Not to say it can't be used for other things, just
> that from what I'm seeing... its not.
>
> Eric McCarty
>
>
>
> >From: "Bill Pennington" <billp@boarder.org>
> >To: "Securityfocus-Vulndev" <vuln-dev@securityfocus.com>
> >Subject: Re: CSS, CSS & let me give you some more CSS
> >Date: Fri, 1 Feb 2002 08:38:35 -0800
> >
> >For any commercial site it is almost impossible to use any portion of the
> >address for "authentication" or non-repudiation. The main reason is AOL.
> >The
> >last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used
> >proxy "pods" for their netblocks. I would watch users hop from IP to IP and
> >sometime across entire subnets during a session. Now you could code your
> >app
> >to break for AOL users but if you are a commercial entity that could
> >present
> >a few problems.
> >
> >The best use to IP address authentication is in a LAN environment where
> >users are far less likely to go address hoping.
> >
> >
> >----- Original Message -----
> >From: <info@elitesoft.org>
> >To: "Obscure" <obscure@eyeonsecurity.net>
> >Cc: "Joe Harrison" <list-general@ntlworld.com>; "Securityfocus-Vulndev"
> ><vuln-dev@securityfocus.com>
> >Sent: Friday, February 01, 2002 8:08 AM
> >Subject: RE: CSS, CSS & let me give you some more CSS
> >
> >
> > > If you use IP address for session cookie attacker can't use
> > > stolen cookie.
> > > However, you can't use IP address when BGP or Proxy are used.
> > > In this case the best protection is to change session cookie
> > > for each transaction using transaction counter.
> > > This will provide a transaction non-repudiation.
> > > If such session cookie is stolen and used by a hacker prior
> > > to a user, then user session will be blown away.
> > >
> > > Mike
> > >
> >
> >
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
>
- Previous message: Blue Boar: "Re: New thoughts on CSS"
- In reply to: E M: "Re: CSS, CSS & let me give you some more CSS"
- Next in thread: Andre Mariën: "Re: CSS, CSS & let me give you some more CSS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
