xsrf nerdery

I haven't posted anything interesting webappsec related in ages, so I'll make it up with this super fun link that I just found.

"Racing to downgrade users to cookie-less authentication"

As I wrote previously; I discovered that in Firefox and Opera we can exhaust the cookie limit to delete the user's old cookies.

If we assume that we will have the user browsing both a site which degrades to cookie-less auth and our malicious site at the same time then if you think about this then you can see that there is a race condition between when the server sets the cookie and the user logs in (and in some applications between when a page is served and the next html request is made).

The question is; can we win this race?

I was hooked before I even got to that part, because this a great little article on exactly the type of security chaos and fun you create with a web browser. I'll add a note that I know that my current employer's website isn't vulnerable to this, and I know that solely because of some buggy JMeter scripts that I dealt with a few months ago. Something to play with anyway.

Enough browser silliness, here's a picture from my trip. I took this when my feet were pretty much walked off and I stuck over to a window of the Louvre to try to rest my toes by sitting on a nearby bench.



I love all the statues on the outside of the Louvre. On this trip I actually walked almost entirely around the outside of the building just to read the visible names of the ones low enough to street level.