NYCPHP Meetup

[felix zaslavskiy]

On Fri, 31 Oct 2003 13:10:41 -0800 (PST)
Chris Shiflett <shiflett at php.net> wrote:

> --- felix zaslavskiy <felix at students.poly.edu> wrote:
> > I was not born under a rock and I can point to good example of
> > Fortune 100 companies totaly screwing up security in web
> > application. The Microsofts Hotmail password change feature comes
> > to mind.
> 
> I have never, and likely will never, point to Microsoft as an example
> to follow for software development, security-related or otherwise. I,
> too, was not born under a rock.
> 
> Someone mentioned observing phpBB for security-related strategies,
> and I pointed out the dangers in such and gave Yahoo and Amazon as
> alternatives. Your argument is that using SSL and asking for a
> password is all that these entities do, so it seems you think such
> observations are useless. I strongly disagree.
> 
> > I happen to be an amazon customer and I looked up the cookies they
> > left on my machine. There is 6 cookies 5 of which are id's and one
> > that has sort of redirect url. They dont disguise the meanings of
> > the cookie values for example one of 'order_cache_primed' and
> > another is 'sessionid'. I entered a restricted function like change
> > billing and i noticed that my session id has not changed from since
> > before.
> 
> Take those cookies, recreate them at a friend's house (within 10
> minutes if you like), and see if your friend gets access to your
> account as a result.
> 
> Let me know how that goes, and then tell me if it was SSL or asking
> for your password that prevented this.

Actualy I thought why should i not try exactly this after all it wont prove anything either way. I didnt need to go to a friends house i have more then one computer. I copied the .phonix/default/xyz/cookies.txt file to the other machine and whent to amazons webpage. It recognized me fine , I was able to view my shoping card and wish list. It did not let me go to 'change payment method' feature and asked me for my password although it filled in my current email i was using for the account which i though was odd since if attacker got a hold of my email he could try the forgot password feature and try to intercept my emails. Anyway I think the reason why just copying the disk stored cookies didnt work was because obviously amazon placed that information in a hidden field in one of the forms. This is well known techiniques and does not neccessarily add security because cookies can be stored in browser memory just as well.


> 
> Chris
> 
> =====
> My Blog
>      http://shiflett.org/
> HTTP Developer's Handbook
>      http://httphandbook.org/
> RAMP Training Courses
>      http://www.nyphp.org/ramp
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>