WebApp Sec mailing list archives

Re: session id abuse

From: npguy <npguy () websurfer com np>
Date: Sat, 14 Feb 2004 10:29:30 +0545

Hi Johnny,

Friday, February 13, 2004, 6:05:09 PM, you wrote:


JG> 1.  Another user to change the session information on the
JG> server and change access from read only to write (by knowing the
JG> session id)?

If Client is encourging the packet to pass through third party
machine, then it is very much possible to hijack the session.
But if you use the IP depending on the Session-ID it could be hard to break.


As you assumed the user has only readaccess. So there is now way to
escalate. but it depends on your implementation.


JG> 3.  How can you effectively limit concurrent access to only 1 session?

denied all new login if the given account is not logged out.

JG> 4.  If client side certificates were to be used, could you
JG> create another session from another browser once the first session
JG> was authenticated?  ie, how do you restrict the access to only one
JG> browser?

You can do it. But why do you need another session?


JG> 5.  If you are using server side validation for all user
JG> invoked queries, is it still possible to force data into the
JG> application to elevate your role?  Assume that user roles are
JG> clearly defined in the db.

If the user roles are clearly define the escalation could reach
at its limit and cannot to beyond.


JG> 6.  If a user with high privileges (such as write to db)
JG> leaves a workstation unattended with no session timeout, are there
JG> any controls that one could put in place to still validate the
JG> user is the privilged user after a period of time?  for example
JG> keep session active, but to make any changes application must
JG> validate information on a usb key? 

It is possible. You should find out the idle time-out and prompt
for login.

JG> 7.  How do you choose between session ID's tagged in URL,
JG> Session IDs in cookies?

The cookies and GET variables (URL) can be accessed through its
corresponding associated array or global std. variables. Check the
apache or scripting manual.

for example in php:

to get URL variables... $_GET["sessionkey"] for cookies try
$_COOKIE["sessinkey"]

JG>How do you restrict the information in
JG> either URL or cookie so that users can't use this info to abuse
JG> the applicaiton?

The server side script should use proper string parsing, validity of
the data etc..



JG> Thanks



JG> Johnny

Current thread:

Session ID Abuse Johnny GoLightly (Feb 13)
- Re: Session ID Abuse Paul (Feb 15)
- Re: Session ID Abuse lists AT dawes DOT za DOT net (Feb 15)
- <Possible follow-ups>
- session id abuse Johnny GoLightly (Feb 13)
  - Re: session id abuse npguy (Feb 15)
  - Re: session id abuse hans (Feb 15)
- RE: Session ID Abuse Kris Wilkinson (Feb 15)
  - Re: Session ID Abuse Steve Shah (Feb 15)