NEW LISTINGS 
HOT LISTINGS
TOP RATED
EDITOR PICK
ADD A LISTING
UPDATE A LISTING
GET RATED
UPGRADE A LISTING
HOT LISTINGS
TOP RATED
EDITOR PICK
ADD A LISTING
UPDATE A LISTING
GET RATED
UPGRADE A LISTING
Netscape Cookie Specification
6255
Netscape Cookie Specification
http://www.nihongo.org/snowhare/utilities/triple_dot/
While reading the Netscape Cookie Specification on May 6th, 1998 it occured to me that there was a vulnerabilty in their specification. By exploiting the fact that a domain with a trailing dot ('.') character is the same domain as the fully qualified domain name, and thinking recursively about their 'two dot' and 'three dot' domain sharing rules, I asked myself, what if they implemented simply dot counting without checking that there are in fact names in between the dots? In other words, would a domain name with multiple trailing dot characters be able to evade the 'two dot/three dot' limits on who they can share cookies with?
CGI and Perl > Scripts and Programs > Development Tools > Cookies
Oct 10, 2006
Write a Review
Add to My Favorite
Refer it to Friend
Report Broken Link
| |
|
||
| Bookmark Netscape Cookie Specification: |
|||
Other links at CGI and Perl > Scripts and Programs > Development Tools > Cookies
State of mind
Since http is a stateless protocol, meaning each transaction is distinct and there is no memory from one to the next, tracking a browser through a site can be difficult at best. A user could visit a site, leave, and come back a day or a minute later, possibly from a different IP address. The site maintainer previously had no way of knowing if this was the same browser or not.
Since http is a stateless protocol, meaning each transaction is distinct and there is no memory from one to the next, tracking a browser through a site can be difficult at best. A user could visit a site, leave, and come back a day or a minute later, possibly from a different IP address. The site maintainer previously had no way of knowing if this was the same browser or not.
Category:
While reading the Netscape Cookie Specification on May 6th, 1998 it occured to me that there was a vulnerabilty in their specification. By exploiting the fact that a domain with a trailing dot ('.') character is the same domain as the fully qualified domain name, and thinking recursively about their 'two dot' and 'three dot' domain sharing rules, I asked myself, what if they implemented simply dot counting without checking that there are in fact names in between the dots? In other words, would a domain name with multiple trailing dot characters be able to evade the 'two dot/three dot' limits on who they can share cookies with?
Category:
This script demonstrates handling input to CGI scripts in a convenient and consistent way. All of the Form, URL, and Cookie input is processed and placed into an array. To send information to this script, use one of the following methods:
Category:
Main Category
185
2034
798
286
174
1802
1128
909
1160
7383
70
904
59
2198
173
Join Mailing List
Joining mailing list will entitle you
to receive occasional emails informing you of news and
updates to the site and any special offers that may be
of interest to you.
Top 10
Directory Statistics
Links: 19243
Categories: 1275
Registered Users: 728
Mailing List Subscribers: 2043
Unique Outgoing Hits: 227958
Pagerank Statistics
PHP News