Aside from cookie stealing, CSS vulnerabilities also open the door for Malware such as GodsWill/GodsMessage (http://godwill.cjb.net/) Food for though. -Blake On Fri, 1 Feb 2002, E M wrote: > I think we are getting away from the original topic, CSS and how it effects > you. > > Basically the general agreement is that cookie stealing via embedded code is > the most dangerous use for CSS and the most common. > > This brings me to the point that cookie based authentication is unsafe > inherently and as far as I can tell not something that security minded > developers would even consider. > > So the jist is that CSS is mainly used to exploit older web app's that use > cookie based authentication (Prime example older versions of Yet another > Bulletin Board (Yabb). Not to say it can't be used for other things, just > that from what I'm seeing... its not. > > Eric McCarty > > > > >From: "Bill Pennington" <billpat_private> > >To: "Securityfocus-Vulndev" <vuln-devat_private> > >Subject: Re: CSS, CSS & let me give you some more CSS > >Date: Fri, 1 Feb 2002 08:38:35 -0800 > > > >For any commercial site it is almost impossible to use any portion of the > >address for "authentication" or non-repudiation. The main reason is AOL. > >The > >last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used > >proxy "pods" for their netblocks. I would watch users hop from IP to IP and > >sometime across entire subnets during a session. Now you could code your > >app > >to break for AOL users but if you are a commercial entity that could > >present > >a few problems. > > > >The best use to IP address authentication is in a LAN environment where > >users are far less likely to go address hoping. > > > > > >----- Original Message ----- > >From: <infoat_private> > >To: "Obscure" <obscureat_private> > >Cc: "Joe Harrison" <list-generalat_private>; "Securityfocus-Vulndev" > ><vuln-devat_private> > >Sent: Friday, February 01, 2002 8:08 AM > >Subject: RE: CSS, CSS & let me give you some more CSS > > > > > > > If you use IP address for session cookie attacker can't use > > > stolen cookie. > > > However, you can't use IP address when BGP or Proxy are used. > > > In this case the best protection is to change session cookie > > > for each transaction using transaction counter. > > > This will provide a transaction non-repudiation. > > > If such session cookie is stolen and used by a hacker prior > > > to a user, then user session will be blown away. > > > > > > Mike > > > > > > > > > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx > >
This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 21:06:45 PST