News

Wednesday, August 20, 2008

Are Your Web Application Cookies Secure?

WIN_SECURITY UPDATE_
A Penton Media Property
August 20, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306286-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
Windows IT Pro

Virtualization Management - September 3, 2008, 12:00 PM EDT

Learn about the challenges of managing in mixed physical and virtual
environments. Join Michael Otey for this live web seminar where you'll
learn about some of the driving forces behind server virtualization in
the IT industry today and the important business problems and pain
points that it can solve.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306287-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--Are Your Web Application Cookies Secure?
by Mark Joseph Edwards, News Editor
Most of you probably manage various web applications that use cookies
and possibly SSL to provide security for connectivity. If so, you need
to know how your applications handle any cookies that are set during an
SSL connection. If you haven't secured the cookies, your entire
application could be vulnerable to session hijacking attacks.

When a web application sets a cookie, at least a few parameters are
required, including a path relative to the website, the site domain
name, and an expiration date. Other parameters can be provided,
including a 'secure' flag that defines whether the cookie should be sent
only over SSL connections. If that flag isn't set, then a browser could
be tricked into sending the cookie over a regular clear-text HTTP
connection, at which point anyone sniffing network traffic might be able
to harvest the cookie and use it however they see fit. That's exactly
the type of attack outlined by Sandro Gauci of EnableSecurity in his
Surf Jacking paper, available at the URL below.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306288-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306289-0-0-0-1-2-207 )

In a nutshell, an attacker scenario works like this: A user opens
website "ABC" in a browser window and logs in over an SSL session.
Website ABC sets a session cookie without the secure flag set. The user
then opens a new browser window and goes to website "XYZ." Website XYZ
sends a redirect message telling the browser to go back to Website ABC,
but instead of instructing the browser to connect using HTTPS the
redirect instructs the browser to use regular HTTP. When the browser
connects to site ABC using HTTP, it sends its session cookie. An
attacker sniffing traffic grabs the cookie, adds it to his or her owner
browser, and is then able to connect to site ABC posing as the
legitimate user. That's obviously not good.

One might think that surely major web service providers have taken steps
to prevent such an attack, but as it turns out that's not the case
across the board. According to Gauci, several sites were vulnerable to
the attack at the time he published his paper. Those sites included
Google Gmail, Salesforce.com, Skype, GoDaddy, a couple of unnamed banks,
and one online bookstore. Wow.

Gauci developed some example code, written in the Python scripting
language, that you can download and try out for yourself. The script
works over wired and wireless networks. You can get a copy of the script
at the URL below.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306290-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306291-0-0-0-1-2-207 )

So how do you determine whether the code in your web applications sets
the secure flag for cookies? One way is to somehow examine the source
code, depending on what tools you have available. What you need to look
for depends on the programming language. If your code is written in PHP,
look for instances of the session_set_cookie_params() function, which
might look something like the following example:

session_set_cookie_params(0, $cookie_path, $cookie_domain, 'secure');

You can find more info about that particular PHP function at the URL
below.
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306292-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306293-0-0-0-1-2-207 )

For JavaScript, look for instances of the cookie object, which might
appear in relation to the document object, similar to this:

document.cookie = "name=value; expires=date; path=path; domain=domain;
secure";

Mozilla's developer website, at the URL below, has useful documentation
regarding the cookie object.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306294-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306295-0-0-0-1-2-207)

And, if your applications are written in Visual Basic (VB), C#, C++, J#,
or JScript, head over to Microsoft's website at the URL below, where
you'll find cookie-related examples for all of those languages.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306296-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306297-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
Windows IT Pro

Introduction to Identity Lifecycle Manager "2"

Take a closer look at Microsoft Identity Lifecycle Manager (ILM) "2".
ILM "2" helps you manage identities through a set of policies across
heterogeneous environments. This web seminar will give you an overview
of the features and benefits of ILM "2", a walk-through demonstration
including real-world examples, and access to the trial of ILM "2". Learn
how to dramatically change your identity management processes and get
your free trial ILM "2".

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306298-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--Gmail, Yahoo, and Hotmail Routinely Abused by Spammers
According to Commtouch Software, an average of about 10 million zombie
computers are sending an average of 3 million messages every day. Many
of those messages are sent through the top three web-based mail
services.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306299-0-0-0-1-2-207

--Thieves Gaming the Gamers
As the world of PC gaming continues to expand, so does the spread of
malware designed to steal online game credentials from less-than-savvy
PC users.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306300-0-0-0-1-2-207

--Turn Digital Objects Into Passwords
At the recent USENIX conference, two researchers presented a new way to
generate high entropy passwords using common objects, such as text and
images. The technique might be useful when passwords need to be shared.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306301-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306302-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306303-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: Researcher Says DNS Still Vulnerable
by Mark Joseph Edwards
Even with the latest patches, BIND is still vulnerable to DNS cache
poisoning attacks. But so far it looks like this isn't nearly as bad as
the previous cache poisoning situation.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306304-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306305-0-0-0-1-2-207)

--FAQ: How To Unlock User Accounts on Remote Domain Controllers
by John Savill
Q. My remote-location read-only domain controller (RODC) lost
connectivity with the data center and the read-write domain controllers
(DCs). A user incorrectly entered his password too many times, so the
RODC locked his account, and I can't unlock it. Why?

Find the answer at

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306306-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306307-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions.
Email your contributions to r2r@windowsitpro.com
(mailto:r2r@windowsitpro.com). If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


RESOURCES AND EVENTS

Cross-Platform SOA Performance Management

Live Web Seminar on September 9, 2008, 12:00 PM EDT. Quit working
double-time--focus on a common tool that works across platforms. A
common problem with the sophisticated tools that monitor
service-oriented architecture (SOA) end-user transactions is the lack of
visibility to the entire transaction path and supporting infrastructure.
A further complication is the likelihood that some element of any given
transaction will cross platform boundaries involving both .NET and J2EE
resources. Join Mel Beckman for this live web seminar as he discusses
the value of a single solution that works for both platforms.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306308-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306309-0-0-0-1-2-207)

Microsoft TechEd EMEA 2008 Developers

Learn through hands-on experience with the newest and coolest
development tools and acquire the skills you need to build more
streamlined, scalable, and secure applications during Microsoft TechEd
EMEA 2008 Developers on November 10-14, 2008, in Barcelona, Spain.
Register before September 26, 2008, to save 300 euros.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306310-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306311-0-0-0-1-2-207)

Build a Strong, Feature-Rich SharePoint Farm

This fall industry experts will present best practices regarding
infrastructure, design, forms configurations, and redundancy. You'll get
helpful tips on the critical and often overlooked considerations in
setting up your SharePoint architecture. Join SharePoint experts Wendy
Henry and Michael Noel for this information-packed technical training in
8 U.S. cities (see website for details). Register by August 29th to save
$100 off the price at the door.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306312-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306313-0-0-0-1-2-207)


FEATURED WHITE PAPER

A Guide to Understanding Messaging Archiving

Are you ready to provide court ordered information if necessary? There
are a variety of reasons to deploy message archiving, any one of which
can often justify the entire cost of the archiving capability. This
white paper discusses several reasons to implement a message archive,
provides an overview of 10 vendors whose offerings are focused squarely
on the archiving space, and covers important factors to consider when
selecting an archiving system.

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306314-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306315-0-0-0-1-2-207)


ANNOUNCEMENTS

Master SharePoint with 3 eLearning Seminars--hosted by Windows IT Pro

Join MVPs Dan Holme and Michael Noel to learn how to build a better
SharePoint infrastructure and enable powerful collaboration. On October
1, 2008, at 11:00 AM EDT, direct from your computer, these SharePoint
gurus will guide you through three info-packed sessions: 21st Century
File Sharing: Configuring & Managing Document Libraries; Building
Code-Free SharePoint Applications and Business Intelligence Lite; and
Forms-Based Authentication and Extranet Deployment Options for
SharePoint 2007. All for only $99! Seats are limited to allow for lots
of live Q&A at the end. Register today!

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306316-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306317-0-0-0-1-2-207)

Know a Developer?

Pass on the SharePoint Mastery series, built especially for developers,
with speaker and Microsoft MVP Andrew Connell!

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306318-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306319-0-0-0-1-2-207)

Access All Our Security Resources!

With the online VIP Monthly Pass, you can have all the security
solutions in Windows IT Pro and SQL Server Magazine right at your
fingertips, PLUS VIP-only content on hot topics such as Vista,
SharePoint, and more. You'll also receive a full digital copy of the
latest issue of Windows IT Pro!

http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306320-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306321-0-0-0-1-2-207)


CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306322-0-0-0-1-2-207
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306323-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306324-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306325-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=12548

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306326-0-0-0-1-2-207
About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at
http://ct.email.windowsitpro.com/rd/cts?d=33-12548-803-202-62923-1306327-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive