WebApp Sec mailing list archives
Re: Hijacking URL Encoded Session IDs using Referer Logs
From: ONEILL David J <David.J.Oneill () state or us>
Date: 25 Nov 2002 07:39:04 -0800
And ... Unless one would want to limit potential users from being able to access the website, one would never assume that the session ID could be stored in a cookie. David J. O'Neill NEDSS - IS7 Parkway Bldg., 2nd Floor Phone: (503) 378-2101 ext. 364 FAX: (503) 378-2102
crazybob () crazybob org 11/25/02 06:59AM >>>
Many (most?) application servers use URL encoded session IDs when the user has disabled cookies. Many users disable cookies as a security precaution. There should be an advisory on this so that application server vendors stop allowing URL encoded session IDs by default. If you can post an interesting link to a site, you can hijack the sessions of users with cookies disabled, and no one would be the wiser. Does hotmail or yahoo use URL session IDs? E-mail someone a link to your site and hijack their e-mail account. In the scope of this attack, they'd have no way to tell that you stole it. Also a good reason to use HTTPS. Bob On Monday, November 25, 2002, at 07:48 AM, zeno wrote:
Not to my knowledge. I guess the question would be why would you store the session id in a users url? I suppose people who are to lazy to learn about cookies and don't mind having the ID logged on the server side. Not to mention its *possible* that this id can be saved by a webspider and archived. If using cookies to store these id's you won't have to worry about this problem. (unless there is a new super spider which logs cookies that I am unaware of in production use?) - zenoIs there anything on CERT about the fact that URL encoded session IDs get passed to referenced sites in the HTTP referer header? Thanks, Bob
Current thread:
- Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 24)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- <Possible follow-ups>
- Re: Hijacking URL Encoded Session IDs using Referer Logs ONEILL David J (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Craig_Sullivan (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs UDP 53 (Dec 05)