Re: Passing data between frames

From: Mark Reardon <riscorp(at)mindspring.com>
Date: Fri Mar 28 2003 - 17:44:16 EST

Being on the same server means you can use an opaque handle that translates to a file or database entry with the sensitive information. The real question is then how to pass the handle through the browser and ensure it isn't 'forged'.

I use large handles (512 bit or larger) and I encrypt them using a hash of the browser ID and high byte of the source IP address. I then place the handle in a cookie. I then add it to a table, and place the table index into a cookie. The table also has either the information being passed or a pointer to it.

When I pull the cookies, I recreate the key, decrypt the cookie thus getting the handle. If the index into the table shows a different handle value, I throw the whole thing away, remove the table entry, and log the attempt.

If it matches, then I know the only major vulnerability is the stealing of cookies. To narrow that window, table entries are timed (short) and only available once. If I need to do it multiple times (such as a session), I create a new handle and do it again. That makes it so the same cookie pair will cause a flush and alert.

Good luck,

Mark

-------Original Message-------
From: Chris Neil <Chris.Neil@abs-ltd.com> Sent: 03/28/03 05:33 AM
To: "'webappsec@securityfocus.com'" <webappsec@securityfocus.com> Subject: Passing data between frames

>
>

What would people recommend as the best way to pass sensitive data between frames? The frames are separate web sites hosted on the same machine.

(if it matters it's IIS)

Chris Neil
  Security Officer
  Chris.Neil@abs-ltd.com

---

ABS
  <a target=_blank
href="http://www.abs-ltd.com/">http://www.abs-ltd.com/</a>   Tel: +44 (0) 1993 771221
  Fax: +44 (0) 1993 775081

---

>

---

Mark Reardon
Reardon Information Security Corporation 156 Blue Sky Drive
Marietta, GA 30068
(770) 565-0544
(404) 444-0041 cell Received on Fri Mar 28 17:50:51 2003