Re: CSS, CSS & let me give you some more CSS

From: Blake Frantz (blakeat_private)
Date: Fri Feb 01 2002 - 20:52:54 PST

Next message: - phinegeek -: "RE: CSS, CSS & let me give you some more CSS"

Previous message: Blue Boar: "Re: New thoughts on CSS"
In reply to: E M: "Re: CSS, CSS & let me give you some more CSS"
Next in thread: Andre Mariën: "Re: CSS, CSS & let me give you some more CSS"
Next in thread: Brian McWilliams: "RE: CSS, CSS & let me give you some more CSS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aside from cookie stealing, CSS vulnerabilities also open the door for
Malware such as GodsWill/GodsMessage (http://godwill.cjb.net/)

Food for though.

-Blake



On Fri, 1 Feb 2002, E M wrote:

> I think we are getting away from the original topic, CSS and how it effects 
> you.
> 
> Basically the general agreement is that cookie stealing via embedded code is 
> the most dangerous use for CSS and the most common.
> 
> This brings me to the point that cookie based authentication is unsafe 
> inherently and as far as I can tell not something that security minded 
> developers would even consider.
> 
> So the jist is that CSS is mainly used to exploit older web app's that use 
> cookie based authentication (Prime example older versions of Yet another 
> Bulletin Board (Yabb). Not to say it can't be used for other things, just 
> that from what I'm seeing... its not.
> 
> Eric McCarty
> 
> 
> 
> >From: "Bill Pennington" <billpat_private>
> >To: "Securityfocus-Vulndev" <vuln-devat_private>
> >Subject: Re: CSS, CSS & let me give you some more CSS
> >Date: Fri, 1 Feb 2002 08:38:35 -0800
> >
> >For any commercial site it is almost impossible to use any portion of the
> >address for "authentication" or non-repudiation. The main reason is AOL. 
> >The
> >last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used
> >proxy "pods" for their netblocks. I would watch users hop from IP to IP and
> >sometime across entire subnets during a session. Now you could code your 
> >app
> >to break for AOL users but if you are a commercial entity that could 
> >present
> >a few problems.
> >
> >The best use to IP address authentication is in a LAN environment where
> >users are far less likely to go address hoping.
> >
> >
> >----- Original Message -----
> >From: <infoat_private>
> >To: "Obscure" <obscureat_private>
> >Cc: "Joe Harrison" <list-generalat_private>; "Securityfocus-Vulndev"
> ><vuln-devat_private>
> >Sent: Friday, February 01, 2002 8:08 AM
> >Subject: RE: CSS, CSS & let me give you some more CSS
> >
> >
> > > If you use IP address for session cookie attacker can't use
> > > stolen cookie.
> > > However, you can't use IP address when BGP or Proxy are used.
> > > In this case the best protection is to change session cookie
> > > for each transaction using transaction counter.
> > > This will provide a transaction non-repudiation.
> > > If such session cookie is stolen and used by a hacker prior
> > > to a user, then user session will be blown away.
> > >
> > > Mike
> > >
> >
> >
> 
> 
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos: 
> http://photos.msn.com/support/worldwide.aspx
> 
>

Next message: - phinegeek -: "RE: CSS, CSS & let me give you some more CSS"
Previous message: Blue Boar: "Re: New thoughts on CSS"
In reply to: E M: "Re: CSS, CSS & let me give you some more CSS"
Next in thread: Andre Mariën: "Re: CSS, CSS & let me give you some more CSS"
Next in thread: Brian McWilliams: "RE: CSS, CSS & let me give you some more CSS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 21:06:45 PST