Re: CSS, CSS & let me give you some more CSS

From: E M (rdnktrkat_private)
Date: Fri Feb 01 2002 - 11:13:43 PST

Next message: Jeff Nathan: "Re: buffer overflow on whois (redhat linux 7.0/7.1 on i686)"

Previous message: Brandon: "Re: SSHD Vuln Exploit X2"
Next in thread: Sverre H. Huseby: "Re: CSS, CSS & let me give you some more CSS"
Reply: Sverre H. Huseby: "Re: CSS, CSS & let me give you some more CSS"
Reply: Brett Moore: "New thoughts on CSS"
Reply: Blake Frantz: "Re: CSS, CSS & let me give you some more CSS"
Reply: Andre Mariën: "Re: CSS, CSS & let me give you some more CSS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think we are getting away from the original topic, CSS and how it effects 
you.

Basically the general agreement is that cookie stealing via embedded code is 
the most dangerous use for CSS and the most common.

This brings me to the point that cookie based authentication is unsafe 
inherently and as far as I can tell not something that security minded 
developers would even consider.

So the jist is that CSS is mainly used to exploit older web app's that use 
cookie based authentication (Prime example older versions of Yet another 
Bulletin Board (Yabb). Not to say it can't be used for other things, just 
that from what I'm seeing... its not.

Eric McCarty



>From: "Bill Pennington" <billpat_private>
>To: "Securityfocus-Vulndev" <vuln-devat_private>
>Subject: Re: CSS, CSS & let me give you some more CSS
>Date: Fri, 1 Feb 2002 08:38:35 -0800
>
>For any commercial site it is almost impossible to use any portion of the
>address for "authentication" or non-repudiation. The main reason is AOL. 
>The
>last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used
>proxy "pods" for their netblocks. I would watch users hop from IP to IP and
>sometime across entire subnets during a session. Now you could code your 
>app
>to break for AOL users but if you are a commercial entity that could 
>present
>a few problems.
>
>The best use to IP address authentication is in a LAN environment where
>users are far less likely to go address hoping.
>
>
>----- Original Message -----
>From: <infoat_private>
>To: "Obscure" <obscureat_private>
>Cc: "Joe Harrison" <list-generalat_private>; "Securityfocus-Vulndev"
><vuln-devat_private>
>Sent: Friday, February 01, 2002 8:08 AM
>Subject: RE: CSS, CSS & let me give you some more CSS
>
>
> > If you use IP address for session cookie attacker can't use
> > stolen cookie.
> > However, you can't use IP address when BGP or Proxy are used.
> > In this case the best protection is to change session cookie
> > for each transaction using transaction counter.
> > This will provide a transaction non-repudiation.
> > If such session cookie is stolen and used by a hacker prior
> > to a user, then user session will be blown away.
> >
> > Mike
> >
>
>


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

Next message: Jeff Nathan: "Re: buffer overflow on whois (redhat linux 7.0/7.1 on i686)"
Previous message: Brandon: "Re: SSHD Vuln Exploit X2"
Next in thread: Sverre H. Huseby: "Re: CSS, CSS & let me give you some more CSS"
Reply: Sverre H. Huseby: "Re: CSS, CSS & let me give you some more CSS"
Reply: Brett Moore: "New thoughts on CSS"
Reply: Blake Frantz: "Re: CSS, CSS & let me give you some more CSS"
Reply: Andre Mariën: "Re: CSS, CSS & let me give you some more CSS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 13:01:30 PST