Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Drew Simonis <simonis () myself com>
Date: Tue, 26 Dec 2000 18:13:38 -0500
Mark Curphey wrote:
IMHO - Hidden Form Fields, isn't that like security by obscurity (maybe I don't understand how they work right) ? Sure you can set the no cache option in the http header but doesn't the session status ID (whatever you pass as the form field value) just sit on the client machine ready to be replayed ?
No, the point that Robert was making (which is a good one) is that sometimes the URL, with the appended sessionid, might be logged to another server. In cases where the HTTP_REFERER is logged, hidden fields wouldn't be captured, since they aren't part of the URI. Alas, your point is also valid. Hidden fields are generally no more a secure solution than a GETish URI when used by itself. My earlier point (added to by Philip) is still, IMO, the best bet. Make sure whatever information you use to maintain state is of little use later in life. Your main concerns are not only the danger of a replay attack, but also of information leaks. Both nasty things to have to deal with...
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)