WebApp Sec mailing list archives
RE: [tool] Guardian () JUMPERZ NET : Detecting session hijack
From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Thu, 3 Feb 2005 20:40:49 -0500
Hi Kanatoko, While I really love open source projects, I think that they have their limits. Only a small number of open source projects that require signatures have succeeded in creating a useful solution, good examples of those are Snort, Nessus and NMAP. The problem with Guardian is that it a signature based machine without signatures. Unfortunately application layer signatures are much more complex than network layer signatures and no public database of them is available, thus making tools like mod_security or Guardian difficult to use. Additionally the web applications world seems to be much to complex for simple models. Being more specific to the new sessions plug-in: The plug-in tries to correlate multiple session identifiers in order to detect a breach. In this case IP addressed, cookie session IDs and user agent headers. A mis-match between the session identifiers will result in an alert. Unfortunately IP addresses are a very unreliable way to follow sessions, as you write in the section about real world cases. To make things worse AOL, the biggest ISP in the US use multiple gateways for the same user. IP reusing will also generate many false positives, and on top of that multiple windows on the same machine may also issue alerts. And to make things event more complex, half of the sessions our there are not cookie based at all.... jsessionid is usually used as a query parameters, while other technologies re-write the URL to maintain sessions. ~ Ofer Ofer Shezaf CTO, Breach Security Tel: +972.9.956.0036 ext.212 Cell: +972.54.443.1119 ofers () breach com http://www.breach.com
-----Original Message----- From: Kanatoko [mailto:anvil () jumperz net] Sent: Wednesday, February 02, 2005 11:48 AM To: webappsec () securityfocus com Subject: [tool] Guardian () JUMPERZ NET : Detecting session hijack Hi list, Guardian () JUMPERZ NET is an open source web application firewall. It is available at http://guardian.jumperz.net/ A new plugin named "SessionIdManager" is released. This plugin detects attacks against session ID management. Now we can detect: - brute force attacks - session hijack attacks - session fixation attacks For more details about this plugin, see the following URL. http://guardian.jumperz.net/manual/en/body082.html thanks. -- Kanatoko<anvil () jumperz net> Open Source WebAppFirewall http://guardian.jumperz.net/
Current thread:
- [tool] Guardian () JUMPERZ NET : Detecting session hijack Kanatoko (Feb 02)
- <Possible follow-ups>
- RE: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ofer Shezaf (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Kanatoko (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ivan Ristic (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ivan Ristic (Feb 06)