Comments on: Owning Rails 2.0 Cookies at OWASP: Part II http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/ Internet Security Professionals comment on innovative phishing ploys, social engineering techniques, and the latest hacks. Bashing or bowing to the latest and greatest news in the security community. Keep up to speed with what phishers, hackers, and spammers are doing or just listen in on the latest geek rants. PhishMe is your one stop blog for the latest in anti-phishing and security news. Fri, 26 Feb 2010 10:25:13 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: b3nn http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/comment-page-1/#comment-70 b3nn Wed, 21 Nov 2007 13:56:54 +0000 http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/#comment-70 Here's a link to the rails-core mailing list where this topic is continued. http://groups.google.com/group/rubyonrails-core/browse_thread/thread/769f64d0f4ad59af To wrap up where things currently stand: Yes, the brute forcing of the cookie store hash is possible like this script demonstrates (so choose a strong password everyone!) And session replay is also possible (but there's probably ways to fix that.) We seem to be in disagreement that this should be the default session store choice. Here’s a link to the rails-core mailing list where this topic is continued.

http://groups.google.com/group/rubyonrails-core/browse_thread/thread/769f64d0f4ad59af

To wrap up where things currently stand: Yes, the brute forcing of the cookie store hash is possible like this script demonstrates (so choose a strong password everyone!) And session replay is also possible (but there’s probably ways to fix that.) We seem to be in disagreement that this should be the default session store choice.

]]> By: Jeremy Kemper http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/comment-page-1/#comment-68 Jeremy Kemper Wed, 21 Nov 2007 00:17:23 +0000 http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/#comment-68 Correction: the cracker itself does use the HMAC. All the other links are wrong. The concern regarding session secret strength is totally valid. See the discussion on the rails-core mailing list for more. Correction: the cracker itself does use the HMAC. All the other links are wrong. The concern regarding session secret strength is totally valid. See the discussion on the rails-core mailing list for more.

]]> By: Jeremy Kemper http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/comment-page-1/#comment-66 Jeremy Kemper Tue, 20 Nov 2007 22:50:48 +0000 http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/#comment-66 I'm sorry to report that you spread FUD at the OWASP conference. Remove the rev query parameter from the link to the cookie store source, or simply checkout Rails trunk anytime since March 3 2007, and reconsider your claim. I find this lack of diligence inexcusable when it's the basis for a talk at a security conference. Please consider correcting this and your earlier post. There are legitimate concerns with the cookie store, but brute force attacks are not one of them. I’m sorry to report that you spread FUD at the OWASP conference.

Remove the rev query parameter from the link to the cookie store source, or simply checkout Rails trunk anytime since March 3 2007, and reconsider your claim.

I find this lack of diligence inexcusable when it’s the basis for a talk at a security conference. Please consider correcting this and your earlier post.

There are legitimate concerns with the cookie store, but brute force attacks are not one of them.

]]> By: PhishMe » Owning Rails 2.0 Cookies at OWASP http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/comment-page-1/#comment-63 PhishMe » Owning Rails 2.0 Cookies at OWASP Mon, 19 Nov 2007 19:16:40 +0000 http://blog.phishme.com/2007/11/owning-rails-20-cookies-at-owasp-part-ii/#comment-63 [...] See the “Part II” post for the BustRailsCookie script. Digg [...] [...] See the “Part II” post for the BustRailsCookie script. Digg [...]

]]>