[tahoe-dev] same origin
Chris Palmer
chris at noncombatant.org
Fri Jul 30 16:59:04 UTC 2010
James A. Donald writes:
> >Presumably, but very often not in fact. In the Set-Cookie: header you can
> >specify a broader scope for cookies, and people often do.
>
> But it would not help the attacker to set a broader scope.
Yes it would, and does. Here is the scenario:
When the user logs into super-important.example.com, the server issues a
cookie with domain=.example.com. That is, the cookie is broadly scoped.
Assume that users of super-important also use unsecurable-wiki.example.com.
The browser will send the super-important cookie in requests to
unsecurable-wiki, since unsecurable-wiki is in the cookie's scope.
If the attacker controls unsecurable-wiki, or can observe the HTTP payload
of traffic to it, the attacker can hijack the user's super-important
session.
This and other attack scenarios are discussed in greater depth in
https://www.isecpartners.com/files/web-session-management.pdf
More information about the tahoe-dev
mailing list