Comments on: Owning Rails 2.0 Cookies at OWASP: Part II http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/ Posts about innovative phishing ploys, social engineering techniques, and the latest hacks. PhishMe is your one stop blog for the latest in anti-phishing and security news. Sat, 04 Feb 2012 10:16:28 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: b3nn http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/comment-page-1/#comment-70 b3nn Wed, 21 Nov 2007 08:56:54 +0000 http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/#comment-70 Here's a link to the rails-core mailing list where this topic is continued. <a href="http://groups.google.com/group/rubyonrails-core/browse_thread/thread/769f64d0f4ad59af" rel="nofollow">http://groups.google.com/group/rubyonrails-core/b...</a> To wrap up where things currently stand: Yes, the brute forcing of the cookie store hash is possible like this script demonstrates (so choose a strong password everyone!) And session replay is also possible (but there's probably ways to fix that.) We seem to be in disagreement that this should be the default session store choice. Here's a link to the rails-core mailing list where this topic is continued.

http://groups.google.com/group/rubyonrails-core/b…

To wrap up where things currently stand: Yes, the brute forcing of the cookie store hash is possible like this script demonstrates (so choose a strong password everyone!) And session replay is also possible (but there's probably ways to fix that.) We seem to be in disagreement that this should be the default session store choice.

]]> By: Jeremy Kemper http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/comment-page-1/#comment-68 Jeremy Kemper Tue, 20 Nov 2007 19:17:23 +0000 http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/#comment-68 Correction: the cracker itself does use the HMAC. All the other links are wrong. The concern regarding session secret strength is totally valid. See the discussion on the rails-core mailing list for more. Correction: the cracker itself does use the HMAC. All the other links are wrong. The concern regarding session secret strength is totally valid. See the discussion on the rails-core mailing list for more.

]]> By: Jeremy Kemper http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/comment-page-1/#comment-66 Jeremy Kemper Tue, 20 Nov 2007 17:50:48 +0000 http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/#comment-66 I'm sorry to report that you spread FUD at the OWASP conference. Remove the rev query parameter from the link to the cookie store source, or simply checkout Rails trunk anytime since March 3 2007, and reconsider your claim. I find this lack of diligence inexcusable when it's the basis for a talk at a security conference. Please consider correcting this and your earlier post. There are legitimate concerns with the cookie store, but brute force attacks are not one of them. I'm sorry to report that you spread FUD at the OWASP conference.

Remove the rev query parameter from the link to the cookie store source, or simply checkout Rails trunk anytime since March 3 2007, and reconsider your claim.

I find this lack of diligence inexcusable when it's the basis for a talk at a security conference. Please consider correcting this and your earlier post.

There are legitimate concerns with the cookie store, but brute force attacks are not one of them.

]]> By: PhishMe » Owning Rails 2.0 Cookies at OWASP http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/comment-page-1/#comment-63 PhishMe » Owning Rails 2.0 Cookies at OWASP Mon, 19 Nov 2007 19:16:40 +0000 http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/#comment-63 [...] See the “Part II” post for the BustRailsCookie script. Digg [...] [...] See the “Part II” post for the BustRailsCookie script. Digg [...]

]]>