WebApp Sec mailing list archives
Re: Security Paper: Session Fixation Vulnerability in Web-based Applications
From: Bill Pennington <billp () boarder org>
Date: Thu, 19 Dec 2002 13:56:07 -0800
Not to be an "I told you so" or anything since I didn't really tell anyone except the guys at SPI Dynamics but I noticed that problem (the reuse of session IDs between non-ssl and SSL sessions) about 3 years ago. It particularly was evident in BroadVision based applications. BroadVision released a paper to there clients I believe.
It really only became a big problem if the app echoed information back to the client. You could get CC info from active sessions pretty easily on some very large BroadVision based sites. If it didn't echo info you where kinda limited in your attack. On most apps i tested you could just add or remove stuff to peoples carts, while funny I did not think it was that big of an issue.
On Thursday, December 19, 2002, at 11:45 AM, Sverre H. Huseby wrote:
| ACROS Security is pleased to announce the publication of a | security paper about a new class of attacks on web-based | applications that we named "session fixation" attacks. Very interesting. Particularly the part where one can include the session ID in a URL, as it doesn't depend on other bugs (such as XSS) in the target web site. The paper is also very well written. The whole thing reminds me of something a friend pointed me to a couple of weeks ago: Using the same session id on both unencrypted and encrypted communication. Many web sites let you start with plain HTTP, and switch to HTTPS as soon as you want to log in. If someone sniffs the victim's session ID before the victim logs in over HTTPS, that someone may, in many cases, use that very same session ID to impersonate the victim after he has been authenticated. The solution is, as with session fixation, to invalidate the session (and create a new one) when switching from unauthenticated to authenticated user. Well, merry Christmas and so on to everybody! Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications Mark Curphey (Dec 18)
- Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications Sverre H. Huseby (Dec 19)
- Re: Security Paper: Session Fixation Vulnerability in Web-based Applications Bill Pennington (Dec 19)
- <Possible follow-ups>
- Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications Craig_Sullivan (Dec 20)
- Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications Sverre H. Huseby (Dec 19)