[Zope-dev] Re: [patch] More secure cookie crumbler?

Tres Seaver tseaver at zope.com
Tue Apr 13 01:37:39 EDT 2004 

Jamie Heilman wrote:
> Chris Withers wrote:
> 
>>The patch means that auth creds are never sent, only an auth token that's 
>>valid for 20 mins or so, or you could set it to less.
> 
> 
> The token *is* the cred in that scenario, you can't not send some form
> credentials.
>  
> 
>>Can you explain the XSS risk when a client user is not permitted to write 
>>HTML content to be stored by the app?
>
> The malicious code doesn't have to be stored in the app being
> attacked.  Typically its part of a URI pointing to the app to attack
> and includes the xss payload.  That URI however could be found any
> number of places... social engineering usually comes into play then to
> get the victim to click on it.  While its typically easier to convince
> users to click a link if it comes from the same site it appears to be
> going to, (think about message board systems like slash where where
> hyperlinks in comments are usually suffixed by [domain.com] to give
> the user the ability to avoid goatse and such) in the end, what
> dictates the likelyhood of attack is the value of the service more
> than anything.  [Sadly this doesn't dictate the likely hood of XSS
> holes getting reported on security lists, where people frequently post
> every about silly little backwater application they can find.]

Yup.  I worry hard about XSS when it comes to my banking, my credit 
cards, my taxes;  I don't much care when it comes to a news site.

>>>restrictions, etc. but few people will go through the trouble, and I'd
>>>wager most people using the various cookie-based auth folder products
>>>don't even know the risks.
>>
>>This I'd agree with, but I find the argument "this car's breaks only let me 
>>stop in 1 mile, so there's no point in changing them so I can stop in 0.5 
>>miles" a poor one...
> 
> 
> Well, knock yourself out, I mean, clearly auth techniques based around
> cookies need a lot of additional protection.  Those same protections,
> if written modularly, can usually be used to bolster HTTP auth as
> well, so there's no harm in writing them.  Its convincing people to
> actually use the damned things thats the problem.

Right, mostly for the same reasons you point out above:  the perceived 
threat isn't enough to warrant the pain.

-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope-Dev mailing list