WebApp Sec: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: [WEB SECURITY] Fundamental error in Corsaire's paper?

From: Dan Kuykendall <dan () kuykendall org>
Date: Thu, 27 Apr 2006 14:27:17 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin O'Neal wrote:

I know I'm not the one you are asking, but I think setting 
the path is LESS secure. Not because of any technical reason, 
given the fact that its easily circumvented, but because of 
the false sense of security that gets placed by developers 
using the path.


Using the same logic though, one would be compelled to recommend not
using SSL; the false sense of security 9-out-of-10 cats preferred. :P

Martin...


But at least SSL is adding some layer of security, in that even if the
web app has holes, the transport is still being encrypted.

Using the path setting for the cookie offers no security, and should not
be considered part of the security design, whereas SSL does belong as
part of the security design.

Im not saying its bad to use the path, it has its purpose, such as
segmenting the cookies for the different apps using the same cookie
names, but it should not be considered part of the security design.

- --
Dan Kuykendall (aka Seek3r)
http://www.mightyseek.com

In God we trust, all others we virus scan.
Programmer - an organism that turns coffee into software.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEUTc1K8FkGutbdPMRAncOAKCXuVU72+3XRNIHGnOKXloyiqP6xwCfRkOS
lOPXG73N3qa28uRpwXozA/A=
=Uagi
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

By Date By Thread

Current thread:

RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 26)
- <Possible follow-ups>
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Dan Kuykendall (Apr 27)
  - WebScarab Fuzzer Jason Murray (Jun 09)
    - Re: WebScarab Fuzzer Vlad (Jun 11)
    - Re: WebScarab Fuzzer Rogan Dawes (Jun 11)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 27)