The Dangers of Improper Cookie Use 191
shifted89 writes "Over the last year, the security community have exposed web application security for what it is — extremely lacking. However, for all the focus on XSS, CSRF, history stealing, etc., not much attention has been given to the cookie. Unfortunately, cookie misuse can be just as dangerous, if not more so than XSS attacks and InformIT illustrates why. In short, the author clearly demonstrates what can happen when a website improperly uses cookies for customer tracking — including a working illustration."
Obligatory (Score:2, Informative)
cookies passed as plaintext (Score:3, Informative)
Maybe (Score:3, Informative)
Maybe that's because the dangers of cookies have been known for AGES?
Worse and worse (Score:4, Informative)
Cookie abuse reached new heights a few weeks ago when top sites in Google search results throw cookies on the search results page. So far it's not a guaranteded occurance, and only happens for the top search result. Still, it's jumping the gun.
I can't wait for the Mozilla devs to clean up their cookie code so that blocking cookies is as easy and configurable as blocking images. Even being able to prompt to block everything other than a session cookie would be a nice improvement.
Re:practical, perhaps? (Score:2, Informative)
Maybe you should learn about or change your browser.
Edit - Preferences - Privacy & Security - Cookies
Here Check 'Allow Cookies based on privacy settings' and 'Ask for each cookie'.
Also, for flash, google for flashblock. Nice plugin, disables all flash and replaces it with a 'play' button. You can then click on that button to show the flash.
Re:practical, perhaps? (Score:3, Informative)
Oh well, I guess this is just another lesson in how marketers will shoot themselves in the foot. Animated gifs are abused, so i turn animation off. Cookies are abused, so i reject any cookie that is not obviously necessary. Flash is useful, but no way to request that it does not start automatically, so either I don't install it or install a hack to block it. I don't even see the product that is being advertised.
Well just use Firefox with the Adblock and Flashblock extensions (ok addblock does not fix flash things, but once learned ignores most image advertizing.). Flashblock replaces any flash thing with a window frame with the same size but does not run the flash, and i think it does not even download it untill you bress the run button on the window frame.
In my opinion Addblock and Flashblock are the two most important reasons to use Firefox.
Yours Yazeran
Plan: To go to Mars one day with a hammer.
Re:Cookie on cookie misuse link (Score:4, Informative)
I can't believe how common that still mistake still is.
It's not like it's hard to use the following instead:
<a href="image.jpg" onclick="popup(this.href);return false;">link</a>...
Re:Worse and worse (Score:5, Informative)
More "Cookie Monster" Hysteria (Score:5, Informative)
FTFA:
That section about the "personal identification code" talk is very weaselly. It makes cookies sound like any website can read a cookie on your computer that's flagged as "owned" by that website at any time. Cyrus Peikari and Seth Fogie (article authors) leave out the important, necessary link: the DoubleClick cookie can be read only when your computer makes an outgoing HTTP connection to DoubleClick. Like when a DoubleClick banner ad is included in a Slashdot page's HTML. Which HTTP request includes a CGI param (REFERER) pointing to the Slashdot page from which the IMG tag instructed the computer to pull the DoubleClick banner image. That's how Doubleclick gets its cookie, and the context that you visited a Slashdot page.
DoubleClick cannot read its cookie any other time, when there's no HTTP connection from your computer to DoubleClick. Like all the rest of the pages on which DoubleClick has no banner or other "self-clicking" link. There are web bugs, invisible images tags embedded in other pages just to hit their server with the REFERER of the page triggering their bug, updating your computer's cookie with their counter (etc). But they cannot be read "at any time".
Besides, the cookie is a nonessential part of this snooping. DoubleClick doesn't need to keep its counter on your computer - the IMG hit can update its server-side counter DB. It can ID you, though not as precisely, by your IP# and other CGI parameters you send with every HTTP request. Or DoubleClick's deal with, say, Slashdot, is that Slashdot encode the DoubleClick banner IMG tags the Slashdot server sends you with its pages with a unique ID, like your Slashdot userid. ACs and public terminals mostly escape, but they're not really targets for these marketdroids.
And you can turn off cookies in any non-retarded browser, making them anonymous (encoded IMG URLs are much harder - see?). And you can inspect the cookies stored on your computer.
All these issues were discussed in great detail by the HTTP Working Group as we invented cookies, almost a decade ago. Some people were philosophically opposed to letting untrusted servers store any data on users' computers. Though every page, every image is stored on users' computers, after retrieval for presentation. And we realized that stopping cookies would mean only people with money to make "cross-site" deals and maintain large centralized databases would get the power to exploit cookies for tracking. So the cost would motivate more profit-exploitation of the tech. Ultimately only profiteers would track you, and there'd be plenty of them, without even the local control that cookies offer. And the entire Web would lose even voluntary easy tracking of intersession client state.
We decided to make cookies simple and use them. They're mostly harmless - a good balance with the huge benefit they deliver all day long in the Web Era. But I guess there's still profit to be made by scaring people on the Web, like the naive "technologists" to whom this InformIT article is directed, with incorrect cookie hysteria, and offers to help protect us.
That's the way the cookie crumbles.
Cookies (Score:5, Informative)
Yup, you heard it right. base64 decode your cookie, change a few values, stick it back in... Ta-da, you're an admin.
Improper cookie use can be a nasty, nasty thing. The worst part is that this problem was brought up to the lead developer, who had originally wrote this auth system, but... "Well, it is base64 encoded, noone will ever figure that out." Yeah, right.
Let's discuss something new (Score:4, Informative)
Re:Cookies? Javascript? Etc? (Score:1, Informative)
Fonts, font sizes, frames, and colors are all post-1991 innovations and would be invalidated by the GP's criteria.
Also, you seem to be missing a sense of humor. I recommend immediate surgery to remedy the problem.
Re:practical, perhaps? (Score:3, Informative)
Re:Cookies (Score:5, Informative)
If I see a nonsensical combination of upper and lower case letters, numbers, and punctuation, especially if it has one or two equal signs tacked onto the end, I immediately think "base64!".
Firefox allows base64 encoding for data: urls, and we can use this to make a quick-n-dirty base64 decoder. Just type data:text/plain;base64, (including the comma) into the address bar and paste the string on the end, and hit enter to see the decoded string (if it's plaintext).
Base64 is not encryption and it should not be used where encryption is needed (or in this case, a secure DATABASE). Base64 is a way to represent binary data in plaintext without having to worry about data corruption due to non-binary safe programs.
Re:practical, perhaps? (Score:3, Informative)
If you use NoScript (which you should to stop dangerous and irritating javascript code), you don't need Flashblock.