WebApp Sec mailing list archives
Re: post to bugtraq about "session fixation"
From: Alex Russell <alex () netWindows org>
Date: Wed, 18 Dec 2002 16:49:52 -0600
On Wednesday 18 December 2002 15:18, Kevin Spett wrote:
If the session management implementations of web application servers (JRun and PHP are mentioned) allow users to specify session IDs, I would consider it a legitimate problem.
Perhaps, but there are a lot of other requisite mistakes needed for this to be an issue, such as: * the app must accept the SAME session IDs across both secured and unsecured interactions * the app must not change the session id on a per-page or per-action basis * the app must not issue another "action specific" nonce to be used in conjunction with the session ID to validate for sensitive actions
Lots of people rely on the vendor-supplied APIs for session management. If they had framed it more as a potential weakness in web app design more than a revolutionary new attack technique it would've been better. I agree that the severity and practicality of the attacks described in the paper have been exaggerated, but saying it's marketting and nothing more is a little harsh.
I agree. For sites that have the multitue of problems necessaray to exploit this, it's a serious issue.
Sure, they took liberties saying that it's a widespread new type of attack, but if they were going for pure marketting, they'd end up with something like this: http://www.forescout.com/e-tourinteractive10.html
My favorite claim in that flash marketing trainwreck: "Active scout blocks all attacks, even the unknown ones". And we wonder why people find it hard to trust security vendors...sigh... -- Alex Russell alex () netWindows org alex () SecurePipe com
Current thread:
- post to bugtraq about "session fixation" Alex Russell (Dec 18)
- <Possible follow-ups>
- Re: post to bugtraq about "session fixation" securityarchitect (Dec 18)
- Re: post to bugtraq about "session fixation" Kevin Spett (Dec 18)
- Re: post to bugtraq about "session fixation" Alex Russell (Dec 18)
- Re: post to bugtraq about "session fixation" Kevin Spett (Dec 18)
- Re: post to bugtraq about "session fixation" Panayiotis A. Thermos (Dec 18)
- Re: post to bugtraq about "session fixation" Steven M. Christey (Dec 19)
- Re: post to bugtraq about "session fixation" Cesar (Dec 20)
- Re: post to bugtraq about "session fixation" H D Moore (Dec 20)
- Re: post to bugtraq about "session fixation" Cesar (Dec 20)