[Seaside-dev] RE: Rekeying Sessions

Boris Popov boris at deepcovelabs.com
Wed Mar 18 16:43:47 UTC 2009 

That _is_ funny. Technically you can do autocomplete="off" in source as most browsers now support it, but that throws off validators, so I much prefer using javascript for crap like that...

As part of our compliance, our auditors will be performing comprehensive pen testing of our applications on an annual basis, so I'll make sure to keep everyone in the loop as far as any new discoveries down the road that might be Seaside related.

Cheers!

-Boris

-- 
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

boris at deepcovelabs.com

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header. Unless otherwise indicated, it contains information that is private and confidential. If you have received it in error, please notify the sender and delete the entire message including any attachments.

Thank you.
-----Original Message-----
From: seaside-dev-bounces at lists.squeakfoundation.org [mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of Julian Fitzell
Sent: Wednesday, March 18, 2009 9:40 AM
To: Seaside - developer list
Subject: Re: [Seaside-dev] RE: Rekeying Sessions

Thanks Boris, that's interesting to know. Amusingly, I just (like 3 minutes ago) paid the invoice to renew my domain name and was cursing the fact that the form was autocompleting every single piece of my credit card information. It occurred to me that some forms didn't seem to do this while others did and I wondered how the heck that was done.
So very good timing on your post. This is why I love open source! :)

Julian

On Wed, Mar 18, 2009 at 4:30 PM, Boris Popov <boris at deepcovelabs.com> wrote:
> Julian,
>
> Most certainly, there's really nothing in there that isn't generally 
> known to Seaside folks already. There really were only 3.5 issues 
> raised,
>
> 1. Session ID Stored in URL (Medium)
>   1.5 Use 'Secure' and 'HttpOnly' When Switching to Cookies (Medium) 
> 2. Session Fixation (Low) 3. Autocomplete Not Disabled (Low)
>
> First one is simple, we just need to make use of cookies, but there's some work involved in making sure our flash components continue functioning properly. Once cookies are used, we need to make sure we set Secure and HttpOnly attributes, sounds like that's addressed in 2.9, which is great.
>
> Second one I've emailed about eariler (session rekeying), thanks for making note of it, I think it is a very useful pattern for any application that does user authentication, cookies or not.
>
> Third is just something that we need to do to some of our sensitive 
> fields, i.e. account number fields etc. The way we do it is with the 
> following,
>
> window.addEvent("domready", function() {
>  // disable auto-complete for sensitive fields
>  $$('.noautocomplete').setProperty('autocomplete','off');
> });
>
> WAFormInputTag>>noautocomplete
>  self class: 'noautocomplete'.
>
> (html textInput)
>  noautocomplete;
>  value: self auth;
>  callback: [:v | self auth: v].
>
> Hope this helps,
>
> -Boris
>
> --
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> http://tinyurl.com/r7uw4
>
> boris at deepcovelabs.com
>
> CONFIDENTIALITY NOTICE
>
> This email is intended only for the persons named in the message header. Unless otherwise indicated, it contains information that is private and confidential. If you have received it in error, please notify the sender and delete the entire message including any attachments.
>
> Thank you.
> -----Original Message-----
> From: seaside-dev-bounces at lists.squeakfoundation.org 
> [mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of 
> Julian Fitzell
> Sent: Wednesday, March 18, 2009 1:51 AM
> To: Seaside - developer list
> Subject: Re: [Seaside-dev] RE: Rekeying Sessions
>
> Hi Boris,
>
> Thanks for the suggestion. I filed
> http://code.google.com/p/seaside/issues/detail?id=368 for this. There a handful of security-related feature requests relating to sessions and cookies in there at the moment.
>
> I understand you might not want to share details, particularly before you have addressed the issues, but I'm sure we would all be interested to hear, even in general terms, what other kinds of issues were raised in your audit. So if at any point you feel you are able to share more (even off-list if need be) that would be very interesting.
>
> Cheers,
>
> Julian
>
> On Wed, Mar 18, 2009 at 12:24 AM, Boris Popov <boris at deepcovelabs.com> wrote:
>> It looks like the following is needed when using cookies,
>>
>> rekey
>>  self application changeKeyForHandler: self.
>>  self useSessionCookie ifTrue: [self redirectWithCookie: self 
>> sessionCookie].
>>
>> -Boris
>>
>> --
>> +1.604.689.0322
>> DeepCove Labs Ltd.
>> 4th floor 595 Howe Street
>> Vancouver, Canada V6C 2T5
>> http://tinyurl.com/r7uw4
>>
>> boris at deepcovelabs.com
>>
>> CONFIDENTIALITY NOTICE
>>
>> This email is intended only for the persons named in the message header.
>> Unless otherwise indicated, it contains information that is private 
>> and confidential. If you have received it in error, please notify the 
>> sender and delete the entire message including any attachments.
>>
>> Thank you.
>> -----Original Message-----
>> From: Boris Popov
>> Sent: Tuesday, March 17, 2009 3:18 PM
>> To: 'seaside-dev at lists.squeakfoundation.org'
>> Subject: Rekeying Sessions
>>
>> Hey,
>>
>> Our auditors had recently completed comprehensive penetration testing 
>> of our Seaside-based applications and one of the medium-priority 
>> recommendations they had was to issue different session id after 
>> login (see attached comments). It later became "low priority" when we 
>> demonstrated that attacker's source IP needed to match because we 
>> used session protector.
>>
>> Here's a snippet for 2.8 that appears to do the trick (not very well 
>> tested yet), but I thought this might be worth including in base for 
>> 2.9?
>>
>> WASession>>rekey
>>  self application changeKeyForHandler: self.
>>
>> WARegistry>>changeKeyForHandler: anObject
>>  self mutex
>>  critical:
>>   [(keysByHandler at: anObject ifAbsent: [nil])
>>    ifNotNil:
>>     [:key |
>>     keysByHandler removeKey: anObject.
>>     handlersByKey removeKey: key]].
>>  ^self ensureKeyForHandler: anObject.
>>
>> This all comes together in a task,
>>
>> LoginTask>>go
>>  login := Login new.
>>  [self login] whileFalse.
>>  self session rekey.
>>  self call: menu.
>>
>> Hope this helps,
>>
>> -Boris
>>
>> --
>> +1.604.689.0322
>> DeepCove Labs Ltd.
>> 4th floor 595 Howe Street
>> Vancouver, Canada V6C 2T5
>> http://tinyurl.com/r7uw4
>>
>> boris at deepcovelabs.com
>>
>> CONFIDENTIALITY NOTICE
>>
>> This email is intended only for the persons named in the message header.
>> Unless otherwise indicated, it contains information that is private 
>> and confidential. If you have received it in error, please notify the 
>> sender and delete the entire message including any attachments.
>>
>> Thank you.
>>
>> _______________________________________________
>> seaside-dev mailing list
>> seaside-dev at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>
_______________________________________________
seaside-dev mailing list
seaside-dev at lists.squeakfoundation.org
http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev

More information about the seaside-dev mailing list