[Zope-dev] [patch] More secure cookie crumbler?

Jamie Heilman jamie at audible.transient.net
Mon Apr 12 18:25:29 EDT 2004 

Chris Withers wrote:
> 
> The patch means that auth creds are never sent, only an auth token that's 
> valid for 20 mins or so, or you could set it to less.

The token *is* the cred in that scenario, you can't not send some form
credentials.
 
> Can you explain the XSS risk when a client user is not permitted to write 
> HTML content to be stored by the app?

The malicious code doesn't have to be stored in the app being
attacked.  Typically its part of a URI pointing to the app to attack
and includes the xss payload.  That URI however could be found any
number of places... social engineering usually comes into play then to
get the victim to click on it.  While its typically easier to convince
users to click a link if it comes from the same site it appears to be
going to, (think about message board systems like slash where where
hyperlinks in comments are usually suffixed by [domain.com] to give
the user the ability to avoid goatse and such) in the end, what
dictates the likelyhood of attack is the value of the service more
than anything.  [Sadly this doesn't dictate the likely hood of XSS
holes getting reported on security lists, where people frequently post
every about silly little backwater application they can find.]

> >restrictions, etc. but few people will go through the trouble, and I'd
> >wager most people using the various cookie-based auth folder products
> >don't even know the risks.
> 
> This I'd agree with, but I find the argument "this car's breaks only let me 
> stop in 1 mile, so there's no point in changing them so I can stop in 0.5 
> miles" a poor one...

Well, knock yourself out, I mean, clearly auth techniques based around
cookies need a lot of additional protection.  Those same protections,
if written modularly, can usually be used to bolster HTTP auth as
well, so there's no harm in writing them.  Its convincing people to
actually use the damned things thats the problem.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly,
 she's not for you." She was cheap, she was stupid and she wouldn't
 load -- well, not for me, anyway."                     -Holly

More information about the Zope-Dev mailing list