[Owasp-testing] Copy Cookies
daniel.cuthbert at owasp.org
Thu Jul 22 03:45:38 EDT 2010
I'm not so keen on adding remote address, not always the best approach.
My approach would be:
1: ensure simultaneous logins are not enabled by default
2: ensure the session timeout is low (15-20 minutes) as Nam mentioned
3: The HttpOnly flag should be set on the cookie
Again, what Nam mentioned about any sensitive information being in the cookie
On 22 July 2010 05:23, Nam T. Nguyen <namn at bluemoon.com.vn> wrote:
> A few ways:
> 1. Embed some specific information such as REMOTE_ADDRESS into the cookie.
> 2. It is unclear whether the cookie stores username/password. If it does, DON'T.
> 3. Give the cookie a shorter time out.
> Well, these don't complete solve the problem. But they will help limit the possibilities.
> Besides, if one can obtain a cookie, he pretty much can do anything else. That's how CSS and CSRF works, isn't it? In your case, this requires access to that particular machine (to __copy the cookies__). You have a bigger problem to worry about then.
> On Jul 22, 2010, at 10:03 AM, Zaki Akhmad wrote:
>> I found the web application that I test is vulnerable with its
>> cookies. After I successfully login with userid and password provided,
>> I can copy the cookies to another browser/computer so that he/she can
>> enter the web application without login.
>> How do I fix this vulnerability?
>> Zaki Akhmad
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
> Nam Nguyen, CISA, CISSP, CSSLP
> Blue Moon Consulting Co., Ltd.
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
More information about the Owasp-testing