Owning Rails 2.0 Cookies at OWASP


	« Phishme Update Owning Rails 2.0 Cookies at OWASP: Part II »


	Owning Rails 2.0 Cookies at OWASP November 14th, 2007 by Corey Post moved here: http://intrepidusgroup.com/insight/2007/11/owning-rails-20-cookies-at-owasp/
	This entry was posted on Wednesday, November 14th, 2007 at 11:37 am and is filed under Conferences, Web Apps. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. 744 ResponsesOwning+Rails+2.0+Cookies+at+OWASP2007-11-14+16%3A37%3A58Corey to “Owning Rails 2.0 Cookies at OWASP” higB says: November 15, 2007 at 5:58 am Great find Corey! Maybe it's not too late for this to be reconsidered. PhishMe » Owning Rails 2.0 Cookies at OWASP: Part II says: November 19, 2007 at 2:05 pm [...] OWASP conference proved to be a great ground to bring up this topic of the proposed Rails 2.0 cookie storage [...] Jeremy Kemper says: November 20, 2007 at 12:52 pm Please see my comment on Part II debunking the claim of brute-force attack. b3nn says: November 20, 2007 at 7:46 pm Sorry, updated the link for “cookie_store.rb” which did take you to an older version of the file. Brute forcing the HMAC is still possible. I'm sure there are cases where this type of session storage would make sense, but from a security stand point, it makes me nervous that this will be the default storage option.