For example, consider the case where a server is running multiple applications,
such as a store at www.example.com/store/ and a forum for customers at www.example
.com/forum/. If the Path property is not set to www.example.com/store/, an attacker
could perform a XSS attack via www.example.com/forum/ and still access cookies set
by www.example.com/store/. Unfortunately, there are ways to circumvent the Path
property. See Chapter 2 for details.
Site-Speci?¬? c Items
Numerous custom items can be added to an application??™s cookies on a site-by-site basis.
While added items generally do not impact the security of the application, attackers can
examine each item in a cookie for a potential security impact. Developers have been
known to include items in cookies that have compromised the security of the entire
application??”for example, a cookie containing the item isAdmin=false. If an attacker
set the item to isAdmin=true in a cookie, the attacker would obtain administrator
access to the system.
Example
The following example shows how to use the iSEC Partners SecureCookies tool to
analyze the security options used in cookies generated by a target web application.
1. Install the iSEC Partners SecureCookies tool available for free at www
.
Pages:
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318