New "Active Cookies" technology

Discussion in 'other security issues & news' started by Rasheed187, Feb 18, 2006.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
  2. dannyboy 950

    dannyboy 950 Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    50
    And what about all those postings about cookies being harmless and people here and other security forums basically riddiculeing those that post asking questions about cookies. Ehhh

    If a cookie can be encoded to offer any type of protection then it can be encoded for maliciouse purposes as well.

    I mean just because it is text means nothing , basic was a text based codeing system and some early viruses were written in basic text.
    Text is cumbersome but still executable.

    Try looking at a cookie on your system, see the windows warning; open it anyhow and you will see most are encrypted. Thats supposed to be plain text?
     
  3. GUI_Tex

    GUI_Tex Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    189
    most are encrypted.. but some cookies look like this inside..
    Code:
    TID
    33526i710qem1v
    trb.com/
    1024
    3233646976
    29748919
    4002088704
    29676501
    *
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    I've seen several articles about cookie abuses related to exploits recently, even though they are nothing to be concerned about, so we've always been told !

    The funny thing about that link is down the page it says this.

    "You need to have JavaScript and cookies enabled to use all the features of this website."


    StevieO
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Encrypted text is still "plain text", as they're stored and treated as such by the local application: they're not executed or interpreted as anything else than text. If what they contain is encrypted information (it can be) it is the remote server that decrypts it, not the local application.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  7. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    At this late date......after so much evidence has been presented that Cookie exploits do exist......an are a serious danger...........how could anyone.....,anywhere intelligently claim that Cookies are totally harmless......its just not possible !

    Who would most benefit from convincing the public that Cookies are harmless........who would most benefit from “shouting down” persons asking about dangerous Cookie Exploits.......why, after evidence has been presented to the contrary...would anyone dare say that Cookies are harmless.....is it due to being ignorant.....in-experienced...........


    *** for obvious reasons total explanation of this Cookie exploit wont be present in order to keep it from being widely used** see below:



    "Can you show me what ( SNIPPED OUT) cookie theft looks like?"


    Depending on the particular web application some of the variables and positioning of the injections may need to be adjusted. Keep in mind the following is a simple example of an attacker's methodology. In our example we will exploit a (snip) hole in a perimeter of "(snip)" called "variable" via a normal request. This is the most common type of (snip) hole that exists.





    Step 1: Targeting

    After you have found an (snip) hole in a web application on a website, check to see if it issues cookies. If any part of the website uses cookies, then it is possible to steal them from its users.




    *** will not present any further detail on this subject........it can happen **

    __________________________________________________________________________________



    Even Webmasters can be harmed by Cookie Exploits.......but the person most harmed is the Public.....who after an exploit such as the one mentioned above.. is sent to a phony website where the person may reveal their credit card number........bank account number and password......etc...............


    Maybe its time for YOU..to ask about Cookie Exploits........don’t fear the ignorant who want to convince you how safe and harmless Cookies are........never fear ignorance.............never fear “Mob Rule”......or the “Groupies” playing follow the leader.........dare to be yourself....were you even aware of Cookie Theft ?


    In this case its a Hacker exploiting a website that uses Cookies.....its Not the Cookie being exploited........but once the Hacker has led you to another website........guess what happens. If the website did not use Stored Cookies...there would be no such exploit.
     
  8. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    Folks you will have to excuse me now........there has been enough said on Cookie Exploits to convince anyone who needed convincing.........the evidence presented by experts can not be shouted down......if there is an non-believer in Cookie Exploits...that person should present himself to the experts an dispute their findings properly............otherwise its just "blowing in the wind"
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm... yes, but cookies are used for authentication on pretty much every website in existence, and the alternatives at this moment are NOT out there (especially for man-in-the-middle attacks).
     
  10. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    TNT

    For many years I have traded Stock on the internet.......and for just as many years I have delt with private government websites.....NOT ONE OF THOSE WEBSITES USED STORED COOKIES...........session cookies always have been more than ample to do the job...........in fact, it would be considered highly insecure for those websites to use Tracking Stored Cookies...............STORED COOKIES ARE NOT NEEDED>>>>JUST THAT SIMPLE !
     
  11. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    Perhaps another means of offering the public protection would be to have Browsers use something along the lines of CookieMuncher.....which "eats" the Cookie but allows both the User and the website to use stored cookies.......there are answers....
     
  12. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm... session cookies are still stored on the client as text, only they expire once you shut down the browser (or after a few minutes if you don't do anything on the site... i.e., if you don't browse through the pages). The difference here is between persistent cookies and "one session"-only cookies. Session cookies authentication is still COMPLETELY vulnerable to man-in-the-middle attacks, session hijacking attacks (i.e. if the web application is vulnerable to cross-site scripting), "pharming" attacks, and doesn't offer any protection against phishing whatsoever. True, I never myself store any persitent cookie either, but it's not like cookies that expire at the end of the session offer much security either.
     
    Last edited: Feb 18, 2006
  13. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    For The Record



    I am not particularly against Cookies.....its Exploitation that I am opposed to...........an like or not....there is not one serious-minded person in the security community that can denied that cookies have not been used to exploit.......be it to gather information on internet users for later re-sale, or for hacking purposes.....cookies are exploited..........computer security is computer security.........if the is a hole in java its fixed....if there is a means of exploiting firefox its fixed.......so fix the cookies to prevent exploitation of them.......isn't that the real issue ?
     
  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm... session cookies expire once you shut down the browser (or after a few minutes if you don't do anything on the site... i.e., if you don't browse through the pages) instead of being kept for a long time, that's the only difference between persistent cookies and "one session"-only cookies. Session cookies authentication is still COMPLETELY vulnerable to man-in-the-middle attacks, session hijacking attacks (i.e. if the web application is vulnerable to cross-site scripting), "pharming" attacks, and doesn't offer any protection against phishing whatsoever. True, I never myself store any persitent cookie either, but it's not like cookies that expire at the end of the session offer much security either.

    EDIT: I previously said "session cookies are text files", but this is not true, what I meant is that they're text (they're stored in temporary memory). However, they have many of the problems that permanent cookies have, i.e. session hijacking is still possible and quite common.
     
    Last edited: Feb 18, 2006
  15. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    There are numerous programs that will wipe session cookies in a mather of set times......giving much less of an opportunity for exploitation.....nor will a session cookie..once removed...have the ability to direct a user to another website an hour after the session cookie is gone...........time....the factor of time limits do play into this.
     
  16. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    TNT

    Have known you a long time........if you want to be an advocate of the use of Stored Cookies I certainly will not cause bad feeling between us over this issue...........so, please do as you feel comfortable with......be it using stored cokkies or not using stored cookies


    This was my last reply on this subject......wishing you well.

    Snowie The Snowman
     
  17. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    There is no need to wipe session cookies, as they expire by themselves (usually the session lifetime is just 15-30 minutes), and cleaning the cookies won't protect you at all if the web application is vulnerable to cross-site scripting and the session has been hijacked: the attacker will still be logged even if you delete your cookies-

    I do a check on the hash of "session cookie + client's IP" for the sites I developed (unless the user chooses to be logged permanently, in which case the IP can't be part of the hash for obvious reason): that covers, in part, the problem of possible cross-site scripting (of course, all checks to prevent it are done at application level, the session+IP hashing is just an extra measure in case bugs slipped in). BUT, it can't do anything for traffic that's sniffed in a lan behind a router (as the remote application will always "see" the same IP even though the clients are different), and it can't to absolutely anything for man-in-the-middle attacks.
     
  18. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm... I'm not arguing or anything. In fact, I agree with you for some part. I just don't think that cookies are much of an authentication mechanism whether they're permanent or not.
     
  19. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    TNT


    Responding as a matter of politeness..........


    What you posted in regard to session cookies is in fact true......they are open to CSS as well unfortunately.......

    So, in your opinion what part does Script play in this exploit......javascript FE:..................

    I would also agree with your statement that cookies are not much of an authentication mechanism .

    we are in agreement for the most part.......an perhaps you may also agree that there some truely awful webmasters out there that could not set up a safe website or even care if their website is safe.......so ok.....whats the answer to Cookie exploits........the man-in-middle exploit is preventable...is that not correct............an which is more exploitable..a stored cookie or a session cookie......given both are exploitable.....an only time limits seperate the two...............

    an once again I must ask.....can cookies ever be made safe ? asking this question mainly in response to your own statement that cookies are not much of an authentication mechanism (which I agree with )
     
  20. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, cross-site scripting needs client-side scripting language to work. So yes, it won't work if you don't have JavaScript enabled (but it won't work either if the web site you're logged on is implemented in a proper way; too bad many sites are not implemented properly).

    So true...

    Err... I don't think it's possible to prevent man-in-the-middle attacks with any cookie authentication mechanism. In fact, it's not possible. You need much stronger authentication (such as ssh or similar) for that (and even then, everything is susceptible to traffic distruption and other annoyances). A tool like Odysseus can show you just how much a man-in-the-middle attack would be able to do.
     
    Last edited: Feb 18, 2006
  21. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    TNT


    Much thanks for the reply.......alot has come out of our little discussion.......an have appreciated your time in this matter.

    Its sad that there are such exploits out there ......but with so much money being stolen..the exploits will not stop anytime soon..........

    Am still wondering why browsers like firefox or opara have not implemented something like cookiemuncher into theit browsers......it may not totally prevent exploits but would be something....

    Have A good Night

    Snowie
     
Loading...
Thread Status:
Not open for further replies.