12Robots.com - Jason Dean - HTTP

URL Session Tokens easily compromised - Security Series #6.4

Fri, 18 Dec 2009 10:16:00 -0500

I have said on several occasions that catering to users who insist on disabling cookies is a bad idea. I have blogged a couple times on the reasons. So why am I suddenly bringing this topic up again? Well I recently read (I cannot recall where, it was probably on the OWASP site) about a way that session tokens in URLs can be easily compromised. I am a little embarrassed that I never realized that this vulnerability existed before. It is pretty simple. [More]

AIR Tip: Cookie Sharing between AIR and Web Browsers

Tue, 22 Sep 2009 18:48:00 -0500

This is something I came across at work that I thought I would share, because at first, it had me scratching my head. Internally, Adobe AIR uses webkit as a "browser" which is great, and as expected, it actually behaves like a browser, including cookie support for access to external resources. Which means that when you are making remote calls to resources, you can use cookies to maintain sessions, or for information tracking. [More]

Session token rotation REVISITED - Security Series #12.3.3 and #6.4.3

Mon, 29 Jun 2009 10:02:00 -0500

I posted on Friday about my experimental code for session token rotation and I got some great comments (thanks Peter and Brian). Brian stated in his comment that because I am using a <cflocation>, which is a 302 HTTP redirect, it could cause problems with legitimate deep-linking, plus, using <cflocation> feels like a hack. I agree with the latter. I was not happy with using <cflocation>, but it was all I could think to do at the time. So I gave it some more thought this weekend and came up with a new way of doing it that uses <cfhttp> instead of a redirect. I am MUCH happier with this method for a couple of reasons. [More]

Session token rotation - Security Series #12.3.2 and #6.4.2

Fri, 26 Jun 2009 14:04:00 -0500

This is a continuation of a topic that I have been blogging about and thinking about for a long time. Session management and cookie security are really interesting topics that I could yammer on about for hours. Go ahead, ask my wife. About 3 months ago, Ben Nadel blogged about a behavior of ColdFusion that I found troubling. [More]

JSESSIONID Session Token Cookie - Important update to previous post

Wed, 06 May 2009 22:25:00 -0500

I made a couple of errors in my previous post about setting the SECURE, PATH and HTTPOnly attributes of the JSESSIONID token cookie. The code has been updated and now works better than before. Please see the update here.

Making the JSESSIONID Session Token Cookie SECURE and HTTPOnly and settings its PATH

Wed, 06 May 2009 12:27:00 -0500

Wow, I have been working on this one for a while. I am almost embarrassed to admit that I have spent upwards of 9 hours learning how cookies work in ColdFusion and the JEE server (including another full hour since I started writing this post). A lot of testing and trying out different things has resulted in a lot of frustration, a little code, and (hopefully) a solution. I have complained before that when using J2EE session management in ColdFusion, that the session token cookies are difficult to work with. When trying to do things like set a specific PATH, or set the cookie as SECURE or HTTPOnly, it can, many times, result it creating duplicate cookies. Well, I think I have finally come up with a method of setting the JSESSION token's PATH, SECURE, and HTTPOnly attributes without this duplication. [More]

Using WebScarab with Adobe AIR to Monitor HTTP Traffic

Wed, 08 Apr 2009 09:23:00 -0500

Wow. What a busy few weeks. But now that I have completed my cf.Objective() presentation, and given a practice presentation to the Twin Cities ColdFusion User Group, and I have caught up on things at work, I am finally back at my desk, jamming to some ~~Miley Cyrus~~ ~~Aly & AJ~~ Metallica and pumping out code. My current project is an Adobe AIR application that, on occasion, needs to talk to a remote server. I am using jQuery to make the requests to the remote server, though I could, just as easily use AIR's URLLoader. [More]

The Basics of HTTP - Part 3 - The Response

Fri, 13 Mar 2009 09:55:00 -0500

So I wasn't sure if I was going to continue this series. I had been sick for a while and I am already done with my presentation (the reason for my research). But I've decided to finish what I started. I will probably finish with this post. If you want to learn more about HTTP, I strongly recommend the O'Reilly HTTP Definitive Guide. It is from 2002, but HTTP has not changed much, if at all, since then, so it is still a very relevant text.

HTTP Response Messages

As we discussed last time, HTTP requests are made from a client to a server to request a specific resource. The server processes that request and returns a response. That response must also be formatted properly and contain specific information for the client to understand it and either display the resource or display the reason that the resource was unavailable. [More]

The Basics of HTTP - Part 2 - The Request

Fri, 06 Mar 2009 10:20:00 -0500

I'm still feeling pretty under the weather, but I just have to get a blog post done or I won't be able to live with myself over the weekend. So here is a continuation of my HTTP series. There is a lot more to learn about this basic protocol than I ever expected. It makes me want to stop calling it "basic". :) In order for a client (web browser, web service, etc) to get a resource (HTML page, image, JavaScript file, flash file, etc) from an HTTP server (web server like IIS or Apache) it must request the resource. That request must be made and formatted in a certain way for it to work. [More]

I will be speaking at TCCFUG this Wednesday March 4th 2009

Mon, 02 Mar 2009 13:55:00 -0500

I have been sick the last few days and it has slowed my posting. I hope to be back on track soon. I am posting now to let you know that I will be speaking at the Twin Cities ColdFusion User Group meeting this Wednesday March 4th @ 6:30. My presentation will be an introduction to HTTP. Here is the description: [More]

The Basics of HTTP - Part 1 - What is HTTP

Mon, 23 Feb 2009 15:30:00 -0500

I have been dreading this first post about HTTP. So I am going to start it off simply by letting Wikipedia articulate what HTTP is, then I will try to put it into my own words. Wikiepedia says:

Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems.

HTTP is a request/response standard between a client and a server. A client is the end-user, the server is the web site. The client making a HTTP request--using a web browser, spider, or other end-user tool--is referred to as the user agent. The responding server--which stores or creates resources such as HTML files and images--is called the origin server.

[More]

The Basics of HTTP - Series Introduction

Tue, 17 Feb 2009 09:46:00 -0500

In preparation for an upcoming user group presentation and a project I have been working on, I have been doing a lot of reading about our old friend the Hypertext Transfer Protocol(HTTP). Kurt Wiersma and I were talking at the last Twin Cities ColdFusion User Group meeting about application security and while talking we came to the realization that understanding the basics of how HTTP works is the foundation for recognizing threats to your application and in creating security countermeasure. Right there I decided that one of the next steps in my path along learning more about security and in educating other on security topics, was to learn as much as I could about the protocol on which we run our most precious applications. [More]