[Owasp-testing] Copy Cookies

daniel cuthbert daniel.cuthbert at owasp.org
Thu Jul 22 03:45:38 EDT 2010


I'm not so keen on adding remote address, not always the best approach.

My approach would be:

1: ensure simultaneous logins are not enabled by default
2: ensure the session timeout is low (15-20 minutes) as Nam mentioned
3: The HttpOnly flag should be set on the cookie

Again, what Nam mentioned about any sensitive information being in the cookie

On 22 July 2010 05:23, Nam T. Nguyen <namn at bluemoon.com.vn> wrote:
> A few ways:
>
> 1. Embed some specific information such as REMOTE_ADDRESS into the cookie.
>
> 2. It is unclear whether the cookie stores username/password. If it does, DON'T.
>
> 3. Give the cookie a shorter time out.
>
> Well, these don't complete solve the problem. But they will help limit the possibilities.
>
> Besides, if one can obtain a cookie, he pretty much can do anything else. That's how CSS and CSRF works, isn't it? In your case, this requires access to that particular machine (to __copy the cookies__). You have a bigger problem to worry about then.
>
> Cheers
> Nam
>
> On Jul 22, 2010, at 10:03 AM, Zaki Akhmad wrote:
>
>> Hello,
>>
>> I found the web application that I test is vulnerable with its
>> cookies. After I successfully login with userid and password provided,
>> I can copy the cookies to another browser/computer so that he/she can
>> enter the web application without login.
>>
>> How do I fix this vulnerability?
>>
>> Thanks!
>> --
>> Zaki Akhmad
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
> Nam Nguyen, CISA, CISSP, CSSLP
> Blue Moon Consulting Co., Ltd.
> http://www.bluemoon.com.vn
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>


More information about the Owasp-testing mailing list