Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: Drew Simonis <simonis () myself com>
Date: Tue, 26 Dec 2000 18:13:38 -0500

Mark Curphey wrote:


IMHO - Hidden Form Fields, isn't that like security by obscurity (maybe I
don't understand how they work right) ? Sure you can set the no cache option
in the http header but doesn't the session status ID (whatever you pass as
the form field value) just sit on the client machine ready to be replayed ?


No, the point that Robert was making (which is a good one) is that
sometimes the URL, with the appended sessionid, might be logged to
another server.  In cases where the HTTP_REFERER is logged, hidden
fields wouldn't be captured, since they aren't part of the URI.

Alas, your point is also valid.  Hidden fields are generally no
more a secure solution than a GETish URI when used by itself.
My earlier point (added to by Philip) is still, IMO, the best
bet.  Make sure whatever information you use to maintain state
is of little use later in life.  Your main concerns are not only
the danger of a replay attack, but also of information leaks.  Both
nasty things to have to deal with...

Current thread:

Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- - - Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bill Reamy (Dec 26)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Yonatan Bokovza (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management St. Clair, James (Dec 27)

(Thread continues...)