Proxy Caches are a Challenging Threat to Internet Security

iBot · #1 (**permalink**) 10-05-2008

Tim Bass
10-05-2008 03:41 AM
Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed.

Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons.

As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being sent the same Set-Cookie HTTP headers, for example.* Caching proxy servers should obtain a fresh cookie for the each new client request. Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients. However, application developers cannot assume that proxy caches are well behaved, especially for applications where security and privacy are required.

Web developers cannot know whether their content is consumed directly or via a proxy cache. Developers also cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intended content.* For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there’s no guarantee it will be consumed by the intended web browser.

Ideally, SSL should be used on all web transactions that require confidentiality and privacy, including our recent Google Docs breach.* On the other hand, even SSL is not foolproof. For example, many web developers do not correctly set the “Encrypted Sessions Only” cookie property. These incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.

There be dragons …

Note: Reposted from the (ISC)2 blog.</p>

Source...

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
OWASP AppSec Asia 2008: Proxy Caches and Web Application Security	iBot	Complex Event Processing RSS News	0	10-03-2008 07:10 AM
Proxy Caches are a Challenging Threat to Internet Security	iBot	IT Security RSS	0	09-26-2008 12:30 AM
Microsoft Security Advisory (956187): Increased Threat for DNS Spoofing Vulnerability	iBot	Security Advisories (RSS) - Microsoft	0	07-25-2008 01:20 PM
Microsoft Security Advisory (953818): Blended Threat from Combined Attack Using Apple	iBot	Security Advisories (RSS) - Microsoft	0	06-06-2008 08:40 PM
The Top Ten Security Threats for 2008 (Part 4) - The Number One Threat	iBot	Complex Event Processing RSS News	0	11-19-2007 02:50 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:


	Powered by