Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

[Elihu Smails <elihusmails2000 () yahoo com>]

I agree with the comments that there is a problem on
the development end that session management is
lacking.  I am a developer, I can say this.:) 
Sessions should track the remote IP address of the
client at a minimum, so that this problem could go
away.  Many programs that I have written have custom
session management that track not only client IP, but
browser, any certificate info and username.  I will
agree that any of this inforamtion is
obtainable/spoofable, it is not in the context of most
web application security issues such as Session
Riding.



--- Thomas Schreiber <ts () securenet de> wrote:

> Hello,
>
> I would like to point you to a whitepaper just
> released:
>
> SESSION RIDING - A Widespread Vulnerability in
> Today's Web Applications
> http://www.securenet.de/papers/Session_Riding.pdf
>
> ----------
> Abstract:
>
> In this paper we describe an issue that was raised
> in 2001 under the name of Cross-Site Request
> Forgeries (CSRF). It seems, though, that it has been
> neglected by the community, as it is not part of
> recent Web Application Security discussions, nor is
> it mentioned in OWASP's Top Ten or the like. After
> having frequently observed this vulnerability in our
> Web Application Security assessments of custom Web
> applications, we started to examine various public
> Web applications and other browser-based
> applications:
>
> —     popular (commercial) Web sites 
> —     popular browser-based console applications such as
> administration tools for databases, servers, etc.
> —     browser-based administration clients of hardware
> devices
> —     webmail sites and open source and commercial
> webmail solutions 
>
> We have found out that this vulnerability is present
> in many of those sites, services and products, some
> of which perform sensitive tasks. Actually, the list
> of affected companies contains well-known big
> players. Our analysis has led us to the conclusion
> that this vulnerability is the most widespread one
> in today's Web applications right after Cross-Site
> Scripting (XSS). Even worse, in some scenarios it
> has to be considered much more dangerous than XSS.
>
> We feel that a concise description of this issue is
> necessary, along with a description of scenarios
> that highlight the danger to all browser-based
> applications that do not provide appropriate
> countermeasures, be it Intranet, Internet or console
> applications. In this paper, we explain this
> vulnerability in depth, show that it may be used
> unnoticed by the victim, describe potential threats,
> and finally give hints on how to make Web
> applications safe from such attacks.
>
> We prefer to call this issue Session Riding which
> more figuratively illustrates what is going on.
> ----------
>
> Feedback is very welcome - especially regarding our
> rating/experience as one of the most widespread
> vulnerabilities today. 
>
> Thomas Schreiber
____________________________________________________________
> SecureNet GmbH - http://www.securenet.de
> +49 89/32133-610
> mailto:ts () securenet de



                
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com