Add protection mechanism against cookies manipulation parameter manipulation

[alfonsodg]

From vitali....@geniestills.com on February 18, 2011 07:33:32

What version of the product are you using? On what operating system? web2py 1.92 Please provide any additional information below. See http://www.acunetix.com/vulnerabilities/Cookie-manipulation.htm for cookies manipulation. See http://www.cgisecurity.com/owasp/html/ch11s04.html for parameter manipulation.

What can solve the problem? The following are recommendations and provided only as a context idea. Parameter manipulation:

1. Add support for automatic encryption on custom parameters passed through HTTP. Make the key to be dynamically created per session. Cookies manipulation:
2. Disallow web2py from relying only on the UUID for authorization.

Original issue: http://code.google.com/p/web2py/issues/detail?id=198

[alfonsodg]

From massimo....@gmail.com on November 03, 2011 11:19:59

I need a more concrete proposal with a patch. Yet now web2py has a per_session uuid that is used for optional digital signature of URLs.

Status: Invalid