isecpartners.com/tools.html. This tool analyzes a cookie??™s ?¬‚ ags and properties,
as well as any site-speci?¬? c items for common security miscon?¬? gurations.
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 175
2. Run SecureCookies by opening a Windows command prompt, changing to the
SecureCookies directory, and executing the program with the target web site as
an argument.
3. After SecureCookies has run, it will dump its results to an HTML ?¬? le for review
in a web browser.
176 Hacking Exposed Web 2.0
Cookie Wrap-Up
Developers can be lulled into a false sense of security by using cookies that appear random
for session identification, when in reality it is trivial for an attacker to compromise
any user??™s cookie after a small amount of analysis. Additionally, a number of flags can be
appended to cookies to increase or decrease the security of the cookies an application
generates. Several freely available tools allow attackers to analyze the predictability of
session ID cookies, as well as automatically analyze a cookie??™s flags. Despite being unaffected
by the change from a Web 1.0 application to an AJAX application, cookies remain
a critical component of web application security.
Pages:
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319