spoofing question

"Stephanie Stowe" <st***@whackthisvsac.org> wrote in message
news:eE**************@TK2MSFTNGP09.phx.gbl...

My question is, is there any way a hacker can spoof a cookie in a request?

Yes.

Ray at work

"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:uL**************@TK2MSFTNGP12.phx.gbl...

"Stephanie Stowe" <st***@whackthisvsac.org> wrote in message
news:eE**************@TK2MSFTNGP09.phx.gbl...

My question is, is there any way a hacker can spoof a cookie in a request?

Yes.

Ray at work

Darn. How? NOW I do not want to spoof anyone. I want to make sure I do not
create spoofable stuff. I have to understand how the spoof is done. Probably
my idea is not salvagable. (Which is a drag.) But I guess I would still like
to know. I suppose I could encryt...

Thanks

S

"Stephanie Stowe" <st***@whackthisvsac.org> wrote in message
news:OJ*************@TK2MSFTNGP11.phx.gbl...

"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:uL**************@TK2MSFTNGP12.phx.gbl...

"Stephanie Stowe" <st***@whackthisvsac.org> wrote in message
news:eE**************@TK2MSFTNGP09.phx.gbl...

My question is, is there any way a hacker can spoof a cookie in a request?
Yes.

Ray at work

Darn. How? NOW I do not want to spoof anyone. I want to make sure I do not
create spoofable stuff. I have to understand how the spoof is done.

Probably my idea is not salvagable. (Which is a drag.) But I guess I would still like to know. I suppose I could encryt...

Thanks

S

Never mind. That was a dubm question. I tend to forget that a web browser is
not the only thing capable of creating an http request.

S

"Stephanie Stowe" <st***@whackthisvsac.org> wrote in message
news:OJ*************@TK2MSFTNGP11.phx.gbl...

Darn. How? NOW I do not want to spoof anyone. I want to make sure I do not
create spoofable stuff. I have to understand how the spoof is done. Probably my idea is not salvagable. (Which is a drag.) But I guess I would still like to know. I suppose I could encryt...

I don't really know exactly how, since I'm an honest non-hacking person. ;]
But, I've written some vbscript code before to send http requests to sites
with cookies for legitimate reasons. I could put in bogus values if I
wanted to.

Cookies are a nice convenience tool, but shouldn't really be used as a
security tool if possible.

Ray at work

"Stephanie Stowe" wrote:

My question is, is there any way a hacker can spoof a cookie
in a request?

Yes.

Darn. How? NOW I do not want to spoof anyone. I want to make
sure I do not create spoofable stuff.

It rather depends on what you mean by "spoofable". Are you trying to prevent
someone from guessing a cookie value? Are you trying to prevent multiple
users from sharing (knowingly or not) access to the same session/record?

I assume from your original post that this is a session management question,
in which case you may be concerned about either of the above.

If your ASP and JSP services have access to the same data store, you can
pass the session id through the cookie (or even the QueryString) and store
shared session variables in the DB. A SQL Server GUID might be useful for
generating "unguessable" session IDs. See this for pros and cons:
http://www.devx.com/dbzone/Article/10167

As for restricting access, the receiving script can compare various Request
headers (REMOTE_HOST, USER_AGENT, HTTP_ACCEPT, etc.) to those stored in the
DB by the sending script (in the record matching the shared session ID).
Some of the headers to consider are in this list of ServerVariables:
http://msdn.microsoft.com/library/en...rvariables.asp

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

"Stephanie Stowe" wrote:

My question is, is there any way a hacker can spoof a cookie
in a request?

Yes.
Darn. How? NOW I do not want to spoof anyone. I want to make
sure I do not create spoofable stuff.

It rather depends on what you mean by "spoofable". Are you trying to

prevent someone from guessing a cookie value? Are you trying to prevent multiple
users from sharing (knowingly or not) access to the same session/record?

Both. The accessing the same session/record I am concerned about in a
separate post that I will be making after replying to this one. The question
I asked was about guessing the session id.
I assume from your original post that this is a session management question, in which case you may be concerned about either of the above.

If your ASP and JSP services have access to the same data store, you can
pass the session id through the cookie (or even the QueryString) and store
shared session variables in the DB. A SQL Server GUID might be useful for
generating "unguessable" session IDs. See this for pros and cons:
http://www.devx.com/dbzone/Article/10167
I am not at liberty to do this as I do not have SQL Server. We use DB2 on
the iSeries. More in a new post this am.
As for restricting access, the receiving script can compare various Request headers (REMOTE_HOST, USER_AGENT, HTTP_ACCEPT, etc.) to those stored in the DB by the sending script (in the record matching the shared session ID).
Some of the headers to consider are in this list of ServerVariables:
http://msdn.microsoft.com/library/en...rvariables.asp

Thanks.

S

"Stephanie Stowe" wrote:

http://www.devx.com/dbzone/Article/10167

I am not at liberty to do this as I do not have SQL Server. We use
DB2 on the iSeries. More in a new post this am.

The GUID suggestion was merely one way of creating an "unguessable" session
id. You don't need SQL Server to create one:

[JScript example]
Server.CreateObject("Scriptlet.TypeLib").GUID.repl ace(/[{}]/g,"")
(The object has a .GUID string property)

You certainly can implement your own, for that matter. For example, you
could randomly generate a string of digits and check your db for uniqueness.

How many digits would suffice? Suppose you use the GUID as an example of a
sufficient space. There are (2^8)^16 (or
3.4028236692093846346337460743177e+38) possible values. Using just the
characters [0-9], you would need 38.53 characters to cover the same range of
values. Using [A-Z], you would need 27.23 characters. Combining them,
[A-Z0-9] requires strings of length 24.76, [a-zA-Z] needs 22.45, [A-Za-z0-9]
needs 21.50 characters.

Obviously, there is no such thing as a string of length 38.53. But by
choosing 39 character strings of [0-9], you guarantee a space at least as
large as the GUID space. Does that seem like ling strings? Consider that it
takes 32 hex characters to express a 16-byte GUID value.

Some of the same pitfalls apply to self-generated session ids as to GUIDs,
BTW. Their length makes them make poor primary keys, for example.

For what it's worth, script-based random number generation is not exactly
random.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

You can create a GUID in an ASP script using the scripting.typelib object. I
don't have the exact code handy but it should be on some of the ASP sites.

One thing to note however is that a GUID is built according to specific
rules so it is not "unguessable". It is very unlikely to be guessed however.

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Stephanie Stowe" <st***@whackthisvsac.org> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...

"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

"Stephanie Stowe" wrote:

My question is, is there any way a hacker can spoof a cookie
in a request?
>
> Yes.

Darn. How? NOW I do not want to spoof anyone. I want to make
sure I do not create spoofable stuff.
It rather depends on what you mean by "spoofable". Are you trying to

prevent

someone from guessing a cookie value? Are you trying to prevent multiple
users from sharing (knowingly or not) access to the same session/record?

Both. The accessing the same session/record I am concerned about in a
separate post that I will be making after replying to this one. The

question I asked was about guessing the session id.

I assume from your original post that this is a session management

question,

in which case you may be concerned about either of the above.

If your ASP and JSP services have access to the same data store, you can
pass the session id through the cookie (or even the QueryString) and store shared session variables in the DB. A SQL Server GUID might be useful for generating "unguessable" session IDs. See this for pros and cons:
http://www.devx.com/dbzone/Article/10167

I am not at liberty to do this as I do not have SQL Server. We use DB2 on
the iSeries. More in a new post this am.

As for restricting access, the receiving script can compare various

Request

headers (REMOTE_HOST, USER_AGENT, HTTP_ACCEPT, etc.) to those stored in

the

DB by the sending script (in the record matching the shared session ID).
Some of the headers to consider are in this list of ServerVariables:
http://msdn.microsoft.com/library/en...rvariables.asp

Thanks.

S

"Mark Schupp" wrote:

One thing to note however is that a GUID is built according to
specific rules so it is not "unguessable". It is very unlikely
to be guessed however.

I would think the ability to guess it would be considerably easier if the
MAC address used to generate it is known. So here's a challenge -- tell me
the MAC Address that generated this GUID:

89C9B0FE-2EDE-4BA9-96F0-84C629EA1146
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

Under the DCE UUID definition it should be 84C629EA1146 (see
http://www.dsps.net/uuid.html).

Microsoft has its own variation of UUID. I am not sure what the specific
differences are so I don't know if MAC address is in the same place.

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:eY**************@TK2MSFTNGP11.phx.gbl...

"Mark Schupp" wrote:

One thing to note however is that a GUID is built according to
specific rules so it is not "unguessable". It is very unlikely
to be guessed however.
I would think the ability to guess it would be considerably easier if the
MAC address used to generate it is known. So here's a challenge -- tell me
the MAC Address that generated this GUID:

89C9B0FE-2EDE-4BA9-96F0-84C629EA1146
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.

Use of this email address implies consent to these terms. Please do not contact me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

"Mark Schupp" wrote:

...here's a challenge -- tell me the MAC Address that generated
this GUID:

89C9B0FE-2EDE-4BA9-96F0-84C629EA1146
Under the DCE UUID definition it should be 84C629EA1146

And yet it is not. MS doesn't appear to embed it outright -- a
transformation of some sort is clearly applied here. Perhaps a bitwise XOR
with the random portion? The same machine generated the following succession
of GUIDs:

570EB1DA-EDDE-4475-85EE-BF86C8DA2B61
298730AB-6CB9-401C-8F83-5FB72AFB65CD
A714E370-7264-4713-8305-6234DA1B53A8
25EE1445-1403-420B-8511-0E90125217DD
0F5F02F0-F94E-4993-8671-C265D81C0E26
71276388-084E-46F0-B1C8-E2C2A120AD42
C0108E13-F4BE-4B8C-85E3-D914147685A0
F7490249-5194-420F-8540-02A21E29D150
3DC1A614-8244-4D89-B4C6-9D96ACB229EC
8B3327AC-3BE1-492C-810E-8DD57785630F

(see http://www.dsps.net/uuid.html).

Microsoft has its own variation of UUID. I am not sure what the
specific differences are so I don't know if MAC address is in
the same place.

That's a good question.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.