On Thu, 27 Apr 2000, Marc Slemko wrote:
> > Can you be more specific about why you say that? If I set an encrypted,
> > short-lived cookie upon validated authentication, why is that any less
> > secure than any of the other approaches you mentioned?
>
> It isn't necessarily any "less secure", but you just have to understand
> and properly manage what it opens you up to. I'm not suggesting
> alternatives because they are very limited.
I just wrote an article on XSS (Cross-Site Scripting -- I use "XSS"
instead of "CSS" because CSS means Cascading Style Sheets to most Web
developers and designers) for Webmonkey:
http://hotwired.lycos.com/webmonkey/00/18/index3a.html
If you want to see what sort of stuff the XSS problem opens you up for,
just try appending ?tw=<script>alert("aha!");</script> to the URL above.
Both the Apache folks and Microsoft security have detailed several ways
in which this attack can be much, much, worse than a single Javascript
popup. There are links to resources at the end of the article.
Myself, I've been amusing myself with this:
http://hotwired.lycos.com/webmonkey/00/18/index3a_page6.html?tw=%3CIMG%20SRC%3Dhttp%3A%2F%2Fbarneyonline.com%2Fimages%2Fbab3.gif%3E
Cheers,
Steve
--
tired of being an underappreciated functionary in a soulless machine?
hesketh.com is hiring: <http://hesketh.com/careers/>
