[WEB SECURITY] Additional cookies in client requests

Colin Watson colin at watsonhall.com
Mon Jun 28 05:22:12 EDT 2010


Thank you Achim, Lava and YGN Ethical Hacker Group for your ideas and recommendations.

I can confirm the cookies are not required by any applications on the server, there are no third-party add-ons in the application, and are only present in a very small proportion of requests.  The application has already undergone hardening (which I why these extra cookies were being alerted) but will revisit this to check especially the potential for session fixation.

Further to your ideas, I have decided not to change any action on the receipt of additional cookies and neither try to delete them, change them or alter the response.  But being wary that these might be indicators of probing or attacks, I will carefully log the requests and analyse them further once I have a greater sample. 

Best regards

Colin Watson

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates



More information about the websecurity mailing list