Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Dug Song (dugsongat_private)
Date: Thu Aug 30 2001 - 13:24:14 PDT

Next message: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"

Previous message: Jose Nazario: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
In reply to: Jose Nazario: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Next in thread: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 30, 2001 at 03:37:01PM -0400, Jose Nazario wrote:

> predictive cookie values are nothing new. :)

fubob cracked the WSJ.com master key with a simple adaptive chosen
plaintext attack last year. see his paper on client web authentication
(which won best student paper at this past USENIX) for a nice overview:

	http://cookies.lcs.mit.edu/

-d.

---
http://www.monkey.org/~dugsong/

Next message: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Previous message: Jose Nazario: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
In reply to: Jose Nazario: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Next in thread: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 13:44:12 PDT