Tons of Cookie Alerts
Been using PHPIDS for awhile now. Had a few questions regarding some of the alerts I was getting and finally am taking the plunge to be less of a lurker. Anyway, I often get tons of alerts and the only thing it seems to hit on is something in the cookie. Search around and wasn't able to find much here. The request content looks just like a standard http call. Here's an example cookie field that gets tripped.
Affected tags: xss csrf id rfe
Affected parameters: COOKIE.zz-settings-8=m0%3Do%26m1%3Do%26m2%3Dc%26m3%3Dc%26m4%3Do%26m5% 3Dc%26m6%3Do%26m7%3Dc%26editor%3Dtinymce%26m8%3Dc% 26m9%3Dc%26hidetb%3D1%26cats%3Dpop%26align%3Dright %26urlbutton%3Dnone%26uploader%3D1,
Request URI: /2011/11/28/post-title/
I really don't see anything that threatening with these type things and was thinking of adding in an exception for all cookies. Is this advisable? Is there anything serious someone could do with some fancy in-cookie content?
Here's another example...
Affected tags: xss csrf id sqli lfi
Affected parameters: COOKIE.CFGLOBALS=urltoken%3DCFID%23%3D40096630%26C FTOKEN%23%3D21017658%23lastvisit%3D%7Bts+%5C%27201 1-08-01+14%3A15%3A38%5C%27%7D%23timecreated%3D%7Bts+%5C %272011-08-01+14%3A15%3A15%5C%27%7D%23hitcount%3D4%23cftoken% 3D21017658%23cfid%3D40096630%23,
Request URI: %2Fresources%2Fpodcasts%2F
Again doesn't seem like anything bad ... yet this time an impact of 21...
Just checking in on this again... Anyone?
If you application doesn't use those Cold Fusion cookies, I'd suggest to simply ignore them via PHPIDS config. Assuming your app is written in PHP and not CF it shouldn't be of any harm.
Great, thanks for the input!
Also any thoughts on the zz-settings cookie? I searched around but nothing came up except for a link to this thread.
I have no idea what those are - probably app specific. I can't give any recommendation on what to do with those detection wise - not sure how they are being used ;)