in reply to Re^8: Perl Sessions and Cookies - Cookie don't get passed
in thread Perl Sessions and Cookies - Cookie don't get passed
Webserver A presents the use with a form with post or get url located on a website it does not host.
The user fills in the form and submits it. Webserver B get's a request out of the blue for a URL that a Site B provided by Webserver B uses as a post or get url.
However the form given by Site B is different than the one given to the user by Webserver A. The code for Site B running on Webserver B checks the user's credentials. If not done correctly the form submission may pass allowing any content to be submitted by OPs on any other Webserver on the Internet, plus "file://" too.
The Nasty bit is that the Form from Webserver A can look like your typical user registration page, username and double password entries... Plus some hidden inputs the OP of Webserver A would like users to post to Webserver B, like a advertisement meant to be tweeted. If the user enters the same User/Password as they do for Twitter, then the OPs message will be tweeted... Accepting this Twitter is not so easily fooled.
Target Vector:
Site Cookies for auth. Cookies are passed to Site B, regardless of referral, at least they used to be.
Prevention:
Form generation includes a hidden input who's value the attacking OP would not know. Absence of this variable in any form submission can be denied.
This technique is so standard that there is a proper name given to a hidden input used in this manner and if memory serves even a TLA. Though I can't be expected to know everything.
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re^10: Perl Sessions and Cookies - Cookie don't get passed
by Anonymous Monk on Mar 09, 2015 at 21:11 UTC | |
by cheako (Beadle) on Mar 10, 2015 at 00:03 UTC | |
by Anonymous Monk on Mar 10, 2015 at 00:29 UTC |