|
Vulnerability Development
mailing list archives
Re: Cookies
From: George <georger () NLS NET>
Date: Sun, 6 Aug 2000 17:19:47 -0400
Yep, I thought about it some. Never did an experiments however.
I assume that it is illegal to break into someone else's Web server
in this way.
I would assume that if their webserver is requesting information stored on
my computer, it is their responsibility to verify that data, not mine?
The nickname I gave to the problem is "poison cookie".
Excellent name. One of the possibilities I'm currently looking at is if
someone were to write a program that goes thru their cookies and sets all
digits it finds to zero, could this cause a divide by zero type error back
at the server end. The other possibility we discussed was embedding odd
characters (ascii values or unicode) into the existing cookies and what
possible problems that might cause for a cookie parser.
I guess there is a third possibility as well, if a cookie is say 200 bytes
long, lenghtening it to 20,000 bytes could possibly cause a problem.
Geo.
 By Date 
By Thread
Current thread:
Re: Cookies Ryan Permeh (Aug 07)
Re: Cookies Richard M. Smith (Aug 07)
- Re: Cookies George (Aug 07)
Re: Cookies Crispin Cowan (Aug 07)
Re: Cookies netsec [davidv] (Aug 08)
| 
Intro
