Page Index Toggle Pages: 1
Topic Tools
Hot Topic (More than 10 Replies) Session fixation and cookie theft (Read 2,992 times)
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Session fixation and cookie theft
Reply #10 - Sep 21st, 2012 at 9:16pm
Post Tools
Just so you know - AOL added an XFF to their headers a long time ago. x-headers are supplementary non-critical info.  I fixed my security systems for that in 2007 some time. The XFF tells you what the true originating IP is.

Pooled IP's are just a type of proxy server, so the proxy always knows what each side 'thinks' the IP is. 

http://en.wikipedia.org/wiki/Wikipedia:AOL

Wink
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
malmklang2
Jr. Developer
Language Team
***
Offline



Posts: 257
Location: Norway

None
Re: Session fixation and cookie theft
Reply #9 - Sep 21st, 2012 at 3:28pm
Post Tools
I don't know, that's the thing, cause 1. I am not an evil person, nor a hacker or a phisher or a cracker, I don't even use crack(s), not data-wise, or the, you know, hm, reality changing-wise Tongue

and 2. I only know what I read about said pooling and spawning and what not... and what I read, and remember, if it is on the net, it must be true, according to some law or something, scares me. Cause if it is one thing I am afraid of, it is making something that will compromise my users, who are supposed to be able to trust me Tongue
  

if ($human) {die("Sorry, you lot have destroyed too much already")}
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Session fixation and cookie theft
Reply #8 - Sep 21st, 2012 at 3:19pm
Post Tools
Quote:
would allow more than one user to have one ip


How exactly would that datastream be forwarded?

The server is going to dispatch a packet to xxx.yyy.zzz.nn. This is TCP/IP, the packet has a destination address - without a man-in-the-middle - how can it be delivered to anyone else?

This isn't YaBB stuff, this is server stuff. YaBB only sees a user with a cookie. The reply to a request is going to go the the requesting IP address, whether that User is authenticated or not is the only question.

Any security type would tell you that a 'social engineering' password theft is way easier.

And again I have to ask - what value is there in any of this?

  

I find your lack of faith disturbing.
Back to top
IP Logged
 
malmklang2
Jr. Developer
Language Team
***
Offline



Posts: 257
Location: Norway

None
Re: Session fixation and cookie theft
Reply #7 - Sep 21st, 2012 at 3:10pm
Post Tools
Great Scott, a guide even a simpleton like me can actually read and follow!!! Tongue

Hehe, you!! If you do it for a living, your two cents, or dollars, or thousand dollar bills, would be worth more than it's stated value, so, I'll take your cents!!

I might even hire you, depending on how expensive you are, and how much coffee you require!!!
  

if ($human) {die("Sorry, you lot have destroyed too much already")}
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,785
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Session fixation and cookie theft
Reply #6 - Sep 21st, 2012 at 3:01pm
Post Tools
AFAIK, Cookie-sniffing for modern browsers is almost non-existent without network access. The attack would have to be very sophisticated, and probably use header-spoofing, additionally - I think - it would have to either; have some server or direct network access level, and/or be a man-in-the-middle.  I just can't see any way to get there. And what would be the point???

I'm pretty expert with Wireshark, but to use it you have to have logical access to the data stream. (Wireshark is how I found that YaBB 2.x could not write cookies on IIS5)

http://lifehacker.com/5853483/a-guide-to-sniffing-out-passwords-and-cookies-and-...

Just my 2˘ on the matter. (let it be said - this is what i do for a living)

Wink
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
malmklang2
Jr. Developer
Language Team
***
Offline



Posts: 257
Location: Norway

None
Re: Session fixation and cookie theft
Reply #5 - Sep 21st, 2012 at 2:52pm
Post Tools
Yes, and thank you for replying btw Wink

But this ip thing, checkng that and even using it in a cookie.... I've read that AOL and others do this pooling of ips. That's the one thing, then it is said that they also spawn new ips for each and every single request a client does online..... which, if I'm understanding it correctly, to the first, would allow more than one user to have one ip, and to the second part, would render the real mccoy user a fake?
Yay, yay, I know, three cookies and all, but still, I'm struggling.... can't be helped, lord, I struggle Tongue

Security, darn tricky stuff!!!
« Last Edit: Sep 21st, 2012 at 2:55pm by malmklang2 »  

if ($human) {die("Sorry, you lot have destroyed too much already")}
Back to top
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,584
Location: UK:Scotland/livingston

None
Re: Session fixation and cookie theft
Reply #4 - Sep 21st, 2012 at 12:17pm
Post Tools
malmklang2 wrote on Sep 21st, 2012 at 7:44am:
What am I missing in my understanding of this sniffing up of cookies? Why does encrypting it ensure that only the real user will gain access to logged in areas?

as Dandello wrote on Sep 17th, 2012 at 3:08pm:
YaBB creates three cookies, only one of which is for the Session Info - and the name of the cookies is unique (or at lease close to unique) to each forum.


with proply set up three part cookies the ip of the user is also encrypted into the cookies with a Session key so even if the cookies are cloned the cookies will not be of much use to them as when the ip check checkes you will get a error ALERT!! Form Spoofing Detected coming from IP address: and access is denied  Wink
but this won't stop ghosting  Sad
« Last Edit: Sep 21st, 2012 at 12:18pm by xnoddyx »  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
malmklang2
Jr. Developer
Language Team
***
Offline



Posts: 257
Location: Norway

None
Re: Session fixation and cookie theft
Reply #3 - Sep 21st, 2012 at 7:44am
Post Tools
So, the YaBB code still is to complex for me to navigate properly, yet, anyways Tongue

Found the only decent (ok, so what I finally found wasn't just decent, but pure gold) step by step guide to encryption and securing cookies from tampering in Writing Apache modules with Perl and C. Everything else I've found assumes so much prior knowledge of the parts of programming that involves security and such.

But, they still don't explain, or I'm not reading it right, why this makes any difference when it comes to evil, evil people sniffing stuff up and using it to steal the identity of valid users.
If a cookie sent in plain text can be sniffed up, why does an encrypted one make it any safer? I mean, everything can be sniffed and put in a cookie on another computer and then it doesn't matter if the secret key and what not is not known to the one sniffing it up and recreating it by just putting everything sniffed into this new, duplicate cookie, cause once the servers retrives it, it will do the decryption or what to call it, as if it came from the real user's cookie?

Having a cookie safe from tampering with, that's all fine and dandy, actually nifty, but, and I'm not putting passwords, not even encrypted ones in the cookie, I want a cookie that gets to the real, valid user, and if it gets derailed, or duplicated, it should become invalid and present itself as fake to the server upon getting it back from the fake user, or evil person.

What am I missing in my understanding of this sniffing up of cookies? Why does encrypting it ensure that only the real user will gain access to logged in areas?
  

if ($human) {die("Sorry, you lot have destroyed too much already")}
Back to top
IP Logged
 
malmklang2
Jr. Developer
Language Team
***
Offline



Posts: 257
Location: Norway

None
Re: Session fixation and cookie theft
Reply #2 - Sep 17th, 2012 at 5:34pm
Post Tools
Yah, I had a feeling it would be very smart to decipher YaBB's way of doing things, and now I feel even more certain that this would be the way to go, especially since YaBB always encouraged, or at least, haven't minded if one uses it for learning and improving one's own functions and programs, if due credit is given.

Am I understanding you right when what I got was, forget about regeneration and stuff like that, go for encryption instead? I don't send much through qstrings, other than uhm, actions and stuff, pagination variables, though I use mod_rewrite to make the urls oh so much prettier, not that that helps in any ways, or adds to the security... So, it will be mostly used for the form datas, I guess and, well, the login and stuff, which is just that, through forms, and of course the sending of the cookie(s)..

I'll start digging into the nuts and bolts of the YaBB way then Smiley
  

if ($human) {die("Sorry, you lot have destroyed too much already")}
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,130
Location: Earth

YaBB 2.6.0
Re: Session fixation and cookie theft
Reply #1 - Sep 17th, 2012 at 3:08pm
Post Tools
YaBB creates three cookies, only one of which is for the Session Info - and the name of the cookies is unique (or at lease close to unique) to each forum.

2) aside from things like 'action' and 'num' variables, every other query string is (or can be) encrypted. Even in the form data that is generated by certain pages, the data is (for the most part) encrypted - and the pages were it isn't are very very few and limited to a single unencrypted form entry.

As far as I'm aware, although many YaBB forums have gotten hit over the years with major spambot attacks and the occasional DOS attack, none have had their member security compromised from the outside.



  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
malmklang2
Jr. Developer
Language Team
***
Offline



Posts: 257
Location: Norway

None
Session fixation and cookie theft
Sep 17th, 2012 at 8:44am
Post Tools
Hello folks!

I had a username here, but forgot the password. Tried to have it renewed, but the change password link from the email gave me either "no acces" or "invalid id", so, here I am, under a new handle.

So, I'm worried about both session fixation and cookie theft! I've been reading many articles and wikis on how it is important to combat, or take steps to avoid this. Most if not all articles though, deal with it from a php perspective, which isn't too helpful in terms of sample code for Perl Tongue

Anyways, I've had one person suggest that all the advice about regenerating sessionid on each new request is as stupid as passing the sessionid in querystrings, which I never said to him I was doing, anyways. He further suggested to add a script pid to the cookie made by SESSION's new() function to check for presence when doing my login tests to see if user is valid and stuff.

So, my thoughts are, how does adding a pid and checking for it help, if cookies can be sniffed as easily as one could say "come get it"? Furthermore, session fixation is only a problem if passing it through querystrings? That's not the understanding I'm getting from the articles I've been reading.

Which leads to a couple of new questions.
If I was to take the advice of adding a "secret" pid to the cookie generated and baked and sent by SESSION's interface, how would I go about adding that to the baking of the cookie? The examples from the CPAN module itself are scarse about that.

If I still feel like I want to regenerate new session ids for each request, would it be possible to get a little help on how to do that? This again leads, as I see it, to a matter of how to alter the cookie setup used by SESSION so that I can send expire time to the client cookie of lesser value than current time to erase it, then set up a new cookie with the new session id.

I might be way off in all of this, but that's ok, I've been away from Perl for a couple of years, and I can't expect to just slip into the groove, if I ever had one i the first place.
I could check out Yabb's way of doing sessions and security, but for the same reasons as my not being in a groove, I find it hard to navigate through the code Tongue

So yeah, hopefully not too many dumb questions, and hopefully I am not asking too much. This other person had me feeling there are not only stupid questions in fact, but very stupid questions and more importantly, many, many stupid wikis and articles!!
« Last Edit: Sep 17th, 2012 at 9:13am by malmklang2 »  

if ($human) {die("Sorry, you lot have destroyed too much already")}
Back to top
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
 
  « Board Index ‹ Board  ^Top