On 8 Jun 2006 at 22:48, Michal Zalewski wrote: > "Web VPN" or "SSL VPN" is a term used to denote methods for accessing > company's internal applications with a bare WWW browser, with the use of > browser-based SSO authentication and SSL tunneling. As opposed to IPSec, > no additional software or configuration is required, and hence, corporate > users can use pretty much any computer they can put their hands on. > > - Application cookies set by other applications. If passed to the > browser (as some SSL VPNs do), these cookies are separated by the use > of "path" parameter alone, which does not necessarily establish a > browser security domain boundary. This is equivalent to the attacker > obtaining user credentials to these applications. > Yes, the path field (in Set-Cookie) doesn't buy you much, see a detailed discussion in "Path Insecurity": http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html -Amit