NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session Thoughts

Chris Shiflett shiflett at php.net
Fri Oct 31 17:44:16 EST 2003 

--- felix zaslavskiy <felix at students.poly.edu> wrote:
> Actualy I thought why should i not try exactly this after all it
> wont prove anything either way. I didnt need to go to a friends
> house i have more then one computer. I copied the
> .phonix/default/xyz/cookies.txt file to the other machine and whent
> to amazons webpage. It recognized me fine , I was able to view my
> shoping card and wish list. It did not let me go to 'change payment
> method' feature and asked me for my password although it filled in
> my current email i was using for the account which i though was odd
> since if attacker got a hold of my email he could try the forgot
> password feature and try to intercept my emails.

OK, so you at least realize that such an impersonation attempt does
not work, even in the hypothetical situation that *all* of the user's
cookies are compromised. This is the point I wanted to make with this
exercise.

As for the forgot password feature, I suspect that more is required
than an email address. Again, anytime you think you have discovered a
vulnerability, I urge you to try it. By discovering how sites like
Amazon prevent such attempts, you might come up with a few ideas of
your own. It is a very good practice.

> Anyway I think the reason why just copying the disk stored cookies
> didnt work was because obviously amazon placed that information in
> a hidden field in one of the forms. This is well known techiniques
> and does not neccessarily add security because cookies can be
> stored in browser memory just as well.

What you just said makes no sense, as hidden form fields and session
cookies are not directly related. However, this is not important.
What is important is:

1. You should not try to make assumptions about what Amazon is doing.
Rather, you should research what they are doing and find out for
certain. Making guesses does not help you in any way, and you are
probably wrong when you do so.

2. You now have expanded your list of security methods to using SSL,
asking for a password, and this weird session cookie/hidden form
thing you are trying to explain. I suggest to you that there are even
more methods and techniques being employed. In fact, there are many
more. Don't assume things are so simple until you understand what is
going on.

Hope that helps.

Chris

=====
My Blog
     http://shiflett.org/
HTTP Developer's Handbook
     http://httphandbook.org/
RAMP Training Courses
     http://www.nyphp.org/ramp

More information about the talk mailing list