[unisog] Using cookies for authentication

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Mar 7 15:11:00 GMT 2003

On Fri, 07 Mar 2003 13:26:18 +1300, Russell Fulton <r.fulton at auckland.ac.nz>  said:

> Two schemes that occur to me are 1/ to tamper with the browser (so it
> writes the cookie to disk or better still sends it directly to the
> attacker) or 2/ to introduce malware on the the user's computer that
> will search for the cookie in memory and send it to the attacker.  If an
> attacker has the ability to do either of these things then they could
> probably also install keyboard loggers and grab the users credentials
> directly -- something that affects almost all authentication systems so
> I am ignoring this for this particular exercise.

You overlooked '3/ feed IE something malicious'.

> What I am really focusing on is the risk of browser bugs and XSS bugs
> that might allow the cookie to be stolen.  We must assume that the
> attacker may have a web server under their control in the same domain as
> the cookie and that they may be able to induce users to visit the site.

That's the problem.  You don't need to assume that.  You need to assume that
any site is malicious and/or has an XSS bug allowing a malicious user to
inject HTML.  And IE is infamous for be easily confused regarding the
zone of scripts and objects...

So the requirement is that a *user* induce the target user to visit the
XSS-buggy site, which is trivial.. "Hey George, go check out the latest
entry on my blog, it's a hoot..." - attach a URL and put up the big Game Over
sign.  The sad part is that this is *MOST* likely to work inside your
target audience - people won't go check a blog because somebody from Zaire
tells them to (usually ;), but they will if the guy 3 cubicles over says
so.  And it's the disgruntled  guy 3 cubes over that is both most likely
to know that your site uses cookies, *AND* to have something to gain by
doing something evil about it....
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030307/9e48e874/attachment-0007.bin

More information about the unisog mailing list