WebApp Sec mailing list archives
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 23 Dec 2004 11:55:15 -0600
Perhaps the applications that are more likely to be exploited are those that the user stays logged in and that periodically refreshes theirselves, like webmails. I don't see them as a huge threat for systems like Internet Bankings, for example.
I general I would agree. In experience I'm still surprised how often systems have fundamentally broken session management, or it's a service provider model and the first tier 'client' has control of session timeout and sets it to infinite for their 'clients'. SP blames client for this practice and client says security is SP issue and no resolution in the end. Or my all time favorite is the billpay app with the session token cookies that to this day I believe still go 1078, 1086, 1097, 1099, [....] Thank goodness I read that paper those Bindview guys wrote on doing 3 Dimensional modeling of IP space. I stole some perl scripts from Rogan Dawes and tried that out, otherwise I might have missed that one. It was not some increment-by-one that could be observed by a tester of my skill each time I'd log in and out. It would jump by four or six or sometimes ten because they had cryptographically obscured the value incrementation due to the fact other people were logging in and out of the application at the same time. Clever. I recommended they take the session token (1111) + username (aevans) and encrypt it (1111nrinaf) but they did not listen to me. U2FmZSBhbmQgSGFwcHkgSG9saWRheXMh RG9uJ3QgdGFrZSB0aGlzIHRvbyBzZXJpb3VzbHkh Everyone take care, Arian The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications", (continued)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Joseph Miller (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)