[Owasp-testing] Copy Cookies

Ernesto Arroyo earroyoron at yahoo.es
Thu Jul 22 04:00:30 EDT 2010


Using REMOTE_IP is right but is not a complete solution because it could be a 
proxy IP used by an entire company to "surf" internet or
if is the PC it's easy to forge for an attacker.

You should use a short session, and the remote_ip too. The timeout/session time 
of the cookie is an attack window :o(




________________________________
De: daniel cuthbert <daniel.cuthbert at owasp.org>
Para: Nam T. Nguyen <namn at bluemoon.com.vn>
CC: owasp-testing <owasp-testing at lists.owasp.org>
Enviado: jue,22 julio, 2010 09:45
Asunto: Re: [Owasp-testing] Copy Cookies

I'm not so keen on adding remote address, not always the best approach.

My approach would be:

1: ensure simultaneous logins are not enabled by default
2: ensure the session timeout is low (15-20 minutes) as Nam mentioned
3: The HttpOnly flag should be set on the cookie

Again, what Nam mentioned about any sensitive information being in the cookie

On 22 July 2010 05:23, Nam T. Nguyen <namn at bluemoon.com.vn> wrote:
> A few ways:
>
> 1. Embed some specific information such as REMOTE_ADDRESS into the cookie.
>
> 2. It is unclear whether the cookie stores username/password. If it does, 
>DON'T.
>
> 3. Give the cookie a shorter time out.
>
> Well, these don't complete solve the problem. But they will help limit the 
>possibilities.
>
> Besides, if one can obtain a cookie, he pretty much can do anything else. 
>That's how CSS and CSRF works, isn't it? In your case, this requires access to 
>that particular machine (to __copy the cookies__). You have a bigger problem to 
>worry about then.
>
> Cheers
> Nam
>
> On Jul 22, 2010, at 10:03 AM, Zaki Akhmad wrote:
>
>> Hello,
>>
>> I found the web application that I test is vulnerable with its
>> cookies. After I successfully login with userid and password provided,
>> I can copy the cookies to another browser/computer so that he/she can
>> enter the web application without login.
>>
>> How do I fix this vulnerability?
>>
>> Thanks!
>> --
>> Zaki Akhmad
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
> Nam Nguyen, CISA, CISSP, CSSLP
> Blue Moon Consulting Co., Ltd.
> http://www.bluemoon.com.vn
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100722/741c4979/attachment-0001.html 


More information about the Owasp-testing mailing list