|
|
Posted by Ezra Nugroho on 07/08/05 20:02
I am just wondering, how could someone craft an html to steal cookies?
If your cookie distribution is done right, I don't think you need to
worry about this.
There are a gazillion of sites (CMS-based, wiki-based, etc, including
php.net) that allow users to contribute html. They are not concern about
security of data delivery.
I think, page breaking html is more prominent issue, which you could
eliminate with BBcode or wiki language.
Perhaps you are being a little paranoid?
Or do I miss something?
>
> Unless I'm really missing something important, for 'this' particular
> part of the application, any BBCode/Tag stripping/rewriting
> scheme would be useless since what they will be editing is the actual
> templates that make the page, therefore all tags
> would have to be allowed.
>
> It's not the legitimate user I'm worried about doing something wrong,
> it's that if it's possible for a legitimate user to do this,
> then some "Bad Guy" somewhere "may" be able to do this too.
>
> I've pretty much eliminated the possibility of someone using say cURL
> or some other mechanism to post information
> to the form processor directly. If they can guess two md5 hashes of two
> different random numbers that may or may not
> be set to allow the transaction as well as the ip/user agent associated
> with one of the numbers, then nothing I do will
> keep them out because they are GOD, or have a _lot_ of time on their
> hands. Plus, the clients account will have more than
> likely been shut down for going over their bandwidth quota from the
> attempts.
>
> [If I'm wrong in my assumptions here, someone please slap me in the
> head]
>
> What I'm worried about is someone grabbing a valid cookie id, and in
> the short time-span that it _is_ valid, being able to
> pull up the actual post form, which will then give them the second
> number and the ip/user agent, and "legitimately"
> posting malicious code. So yes, SSL is necessary at this point to try
> to keep that cookie secret. If it can, which is what
> I'm being paranoid about. This is a weak spot in the code "because" I
> have to trust that the user is who they say they
> are, all things considered. And at this point, I'm relying on SSL to be
> the security "rock" that plugs up this hole.
>
> Is SSL enough to keep the cookie safe?
>
> Is it absolutely stupid to allow this, even if there will only ever be
> one username/password combo that will be allowed
> to access this part? Other parts of the admin console will be open to
> other users though.
>
> The actual web site, ie the pages created and maintained by the
> application, is open to the public and there is no
> SSL there, no cookies or info other than the html request/response of a
> 'normal' site.
>
> Edward Vermillion
> evermillion@doggydoo.net
>
Navigation:
[Reply to this message]
|