Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: CSS, CSS & let me give you some more CSS

Re: CSS, CSS & let me give you some more CSS

From: Sverre H. Huseby <shh_at_thathost.com>
Date: Fri, 1 Feb 2002 22:25:43 +0100

[E M]

| This brings me to the point that cookie based authentication is
| unsafe inherently and as far as I can tell not something that
| security minded developers would even consider.

Eh, you make me curious. What would a security minded developer of,
say, a discussion forum where client side certificates is not an
option use instead of cookies? I guess you won't say URL paramters,
so I am really curioius.

My opinion is that the cookies are fine. It is the output of scripts
that needs addressing. A security minded developer would make a
framework that did not permit HTML (that is: washed, sanitized,
escaped, recoded, HTML encoded -- choose your favourite slang) tags
from any data, except from the templates of the pages.

Oh, well. Friday night, just upgraded from ancient glibc 2.1.94 to
2.2.5 and had a few beers to give me courage to do the upgrade, so my
opinions may not even be worth the usual two cents at the moment.

Sverre. 

-- 
shh_at_thathost.com			Play my free Nerd Quiz at
http://shh.thathost.com/		http://nerdquiz.thathost.com/
Received on Feb 01 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos