Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications

["Sverre H. Huseby" <shh () thathost com>]

|   ACROS Security is pleased to announce the publication of a
|   security paper about a new class of attacks on web-based
|   applications that we named "session fixation" attacks.

Very interesting.  Particularly the part where one can include the
session ID in a URL, as it doesn't depend on other bugs (such as XSS)
in the target web site.  The paper is also very well written.

The whole thing reminds me of something a friend pointed me to a
couple of weeks ago: Using the same session id on both unencrypted and
encrypted communication.  Many web sites let you start with plain
HTTP, and switch to HTTPS as soon as you want to log in.  If someone
sniffs the victim's session ID before the victim logs in over HTTPS,
that someone may, in many cases, use that very same session ID to
impersonate the victim after he has been authenticated.  The solution
is, as with session fixation, to invalidate the session (and create a
new one) when switching from unauthenticated to authenticated user.

Well, merry Christmas and so on to everybody!


Sverre.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/