Penetration Testing mailing list archives
Re: Session Hijacking over HTTP
From: "Christophe Vandeplas" <christophe () vandeplas com>
Date: Wed, 19 Mar 2008 09:02:35 +0100
On 3/18/08, 11ack3r <11ack3r () gmail com> wrote:
Hello Everyone, I was curious to know how would webmail portals like gmail.com and yahoo.com protect their users from session hijacking when they use HTTP after authentication.
I don't exactly know about how they do it, but there are clever ways to lower the risk of being exploited by storing client-information in the server-side session. This way when an attacker hijacks the session he should also spoof that information. This lowers the chance of being attacked, but should not be considered as safe as SSL (like the others said). Example: Store in the server-side session information like: - session id - IP addr of client - user-agent string (or part of the string) If you notice that the session-id is the same, but these variables are different there is a high risk of having a hijacked session. Nice things you can also do are sending an http-redirect to http://en.wikipedia.org/wiki/Session_Hijacking . The attacker _wil know_ that _you know_ what he's doing. He also knows you are probably logging these events and might even have a triggered alert. Most of the attackers will stop trying here. Another nice thing to do is to alert the real user that there were security issues and that he should re-login to verify his identity. Please only do this when logging in over a secure connection, you don't want to give a sniffing attacker the real password of the account :-) We did implement this for a proof of concept. And the reaction of the audience was nice when seeing a) the redirection and b) the alert at the real-user-side. Cheers ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Session Hijacking over HTTP 11ack3r (Mar 18)
- Re: Session Hijacking over HTTP Gleb Paharenko (Mar 18)
- Re: Session Hijacking over HTTP Serg B (Mar 18)
- RE: Session Hijacking over HTTP Shenk, Jerry A (Mar 19)
- Re: Session Hijacking over HTTP Serg B (Mar 19)
- RE: Session Hijacking over HTTP tclahr (Mar 20)
- RE: Session Hijacking over HTTP Shenk, Jerry A (Mar 19)
- Re: Session Hijacking over HTTP Christophe Vandeplas (Mar 19)
- Re: Session Hijacking over HTTP Marco Ivaldi (Mar 20)
- Re: Session Hijacking over HTTP Rodrigo Montoro (Sp0oKeR) (Mar 20)