WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hijacking URL Encoded Session IDs using Referer Logs

From: Bob Lee <crazybob () crazybob org>
Date: Mon, 25 Nov 2002 08:32:49 -0600
Many (most?) application servers use URL encoded session IDs when the user has disabled cookies. Many users disable cookies as a security precaution. There should be an advisory on this so that application server vendors stop allowing URL encoded session IDs by default.
If you can post an interesting link to a site, you can hijack the sessions of users with cookies disabled, and no one would be the wiser.
Does hotmail or yahoo use URL session IDs? E-mail someone a link to your site and hijack their e-mail account. In the scope of this attack, they'd have no way to tell that you stole it. 

Also a good reason to use HTTPS.

Bob

On Monday, November 25, 2002, at 07:48 AM, zeno wrote:
Not to my knowledge. I guess the question would be why would you store the session id in a users url? I suppose people who are to lazy to learn about cookies and don't mind having the ID logged on the server side.
Not to mention its *possible* that this id can be saved by a webspider and archived. If using cookies to store these id's you won't have to worry about this problem. (unless there is a new super spider which logs cookies 
that I am unaware of in production use?)

- zeno





Is there anything on CERT about the fact that URL encoded session IDs
get passed to referenced sites in the HTTP referer header?

Thanks,
Bob
Previous By Date Next
Previous By Thread Next

Current thread: