[Owasp-testing] Copy Cookies

Nam T. Nguyen namn at bluemoon.com.vn
Wed Jul 21 23:23:36 EDT 2010


A few ways:

1. Embed some specific information such as REMOTE_ADDRESS into the cookie.

2. It is unclear whether the cookie stores username/password. If it does, DON'T.

3. Give the cookie a shorter time out.

Well, these don't complete solve the problem. But they will help limit the possibilities.

Besides, if one can obtain a cookie, he pretty much can do anything else. That's how CSS and CSRF works, isn't it? In your case, this requires access to that particular machine (to __copy the cookies__). You have a bigger problem to worry about then.

Cheers
Nam

On Jul 22, 2010, at 10:03 AM, Zaki Akhmad wrote:

> Hello,
> 
> I found the web application that I test is vulnerable with its
> cookies. After I successfully login with userid and password provided,
> I can copy the cookies to another browser/computer so that he/she can
> enter the web application without login.
> 
> How do I fix this vulnerability?
> 
> Thanks!
> -- 
> Zaki Akhmad
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

Nam Nguyen, CISA, CISSP, CSSLP
Blue Moon Consulting Co., Ltd.
http://www.bluemoon.com.vn



More information about the Owasp-testing mailing list