Cenzic 232 Patent
Paid Advertising
web application security lab

Using Cookies For Selective DoS and State Detection

28 posts left….

This is a continuation of the first post where we described how you can use cookies to DoS certain portions of the website. After our speech one of the Mozilla guys came up to us and described another attack that arises from this. Let’s say when a user logs in it sets a cookie that is 200 bytes long, and when they log out it re-sets the same cookie to 50 bytes. Well if the attacker can set a cookie with a particular path to a single image on the site, for instance, they can use JavaScript to check with an onerror event handler to see if the image has loaded.

By combining the over-long cookie (minus 50 bytes) a logged in state will cause the image to fail to load, where as a logged out state will allow the image to load just fine. In this way an attacker can tell cookie states as long as the cookies are variable width and there aren’t other cookies muddying the waters. Interesting attack, I thought!

4 Responses to “Using Cookies For Selective DoS and State Detection”

  1. Ta Duy Duc Says:

    Ah! You are cheating. Isn’t this post suppose to be in the last post.

  2. RSnake Says:

    They really are different issues arising from the same problem. I’m not sure it’s cheating, I’ve broken up issues into multiple posts before when I think they’re different enough - like this is. :)

    Btw, I forgot to mention - this just shows that when we said there may be hundreds of other issues, how right we were - people got ideas even during our presentation.

  3. guly Says:

    no, you’re cheating. you’re fined and you should restart the countdown from 1000 now :)

  4. kaes Says:

    Yeah absolutely. You should merge those posts, this is not fair ;-) We want more posts!! ;-)

    Anyway, on topic, just wanted to say, that’s a pretty fucking clever idea!