WebApp Sec mailing list archives
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"
From: Eran Tromer <webapp2eran () tromer org>
Date: Mon, 20 Dec 2004 17:00:53 +0200
On 12/16/2004 03:13 AM, Thomas Schreiber wrote:
SESSION RIDING - A Widespread Vulnerability in Today's Web Applications http://www.securenet.de/papers/Session_Riding.pdf
Nice work. I suspect this vulnerability is quite common and dangerous. In Section 6.1 ("Countermeasures" / "Use secrets"), you seem to concentrate on secrets that are explicitly stored in the server-side session record. But one can also use a secret that is computed on-the-fly: secret = SHA1(site_secret, session_id) or, in the absence of explicit sessions: secret = SHA1(site_secret, user_id, user_password) Above, site_secret is a fixed secret random string (160 bits of entropy) that is specific to this site. Since this does not require changes to the database schema, it may be easier to apply at the critical points of existing systems. Due to site_secret, an attacker cannot compute the secret even if he knows session_id (say, due to an XSS attack). And importantly, the presence of site_secret prevents the attacker from recovering session_id via a dictionary attack if the user accidentally publishes a URL containing the secret. To minimize URL ugliness, you can safely truncate this secret to, say, 16 hexadecimal characters (64 bits). In fact, often even 10 hexadecimals would suffice, since testing each guess for the secret requires triggering an HTTP request *by the user's browser*, so the attack cannot be effectively parallelized. It's important that site_secret is specific to the site, not the server. If more convenient, one can use just one server-wide secret, and redefine: site_secret = (server_secret, site_identifier) where site_identifier can be, for example, the canonical hostname. Eran
Current thread:
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications", (continued)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Joseph Miller (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Yvan G.J. Boily (Dec 20)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Mark Burnett (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Jeff Williams (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Augusto Paes de Barros (Dec 23)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Mark Burnett (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)