[tahoe-dev] same origin

Chris Palmer chris at noncombatant.org
Fri Jul 30 16:59:04 UTC 2010


James A. Donald writes:

> >Presumably, but very often not in fact. In the Set-Cookie: header you can
> >specify a broader scope for cookies, and people often do.
> 
> But it would not help the attacker to set a broader scope.

Yes it would, and does. Here is the scenario:

When the user logs into super-important.example.com, the server issues a
cookie with domain=.example.com. That is, the cookie is broadly scoped.

Assume that users of super-important also use unsecurable-wiki.example.com.
The browser will send the super-important cookie in requests to
unsecurable-wiki, since unsecurable-wiki is in the cookie's scope.

If the attacker controls unsecurable-wiki, or can observe the HTTP payload
of traffic to it, the attacker can hijack the user's super-important
session.

This and other attack scenarios are discussed in greater depth in

https://www.isecpartners.com/files/web-session-management.pdf



More information about the tahoe-dev mailing list