lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <44899F1B.11633.1A9489E@localhost>
Date: Fri Jun  9 15:14:36 2006
From: aksecurity at hotpop.com (Amit Klein (AKsecurity))
Subject: Re: SSL VPNs and security

On 8 Jun 2006 at 22:48, Michal Zalewski wrote:

> "Web VPN" or "SSL VPN" is a term used to denote methods for accessing
> company's internal applications with a bare WWW browser, with the use of
> browser-based SSO authentication and SSL tunneling. As opposed to IPSec,
> no additional software or configuration is required, and hence, corporate
> users can use pretty much any computer they can put their hands on.


> 
>   - Application cookies set by other applications. If passed to the
>     browser (as some SSL VPNs do), these cookies are separated by the use
>     of "path" parameter alone, which does not necessarily establish a
>     browser security domain boundary. This is equivalent to the attacker
>     obtaining user credentials to these applications.
> 

Yes, the path field (in Set-Cookie) doesn't buy you much, see a detailed discussion in 
"Path Insecurity":
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html

-Amit

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ