WebApp Sec mailing list archives
Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack
From: Kanatoko <anvil () jumperz net>
Date: Sat, 05 Feb 2005 07:49:35 +0900
Hi Ofer, Thank you very much for your feedback.
The problem with Guardian is that it a signature based machine without signatures.
We have 60 signatures now. http://guardian.jumperz.net/index.html?i=004 I think that it is enough because many of those are generic.
Unfortunately IP addresses are a very unreliable way to follow sessions, as you write in the section about real world cases. To make things worse AOL, the biggest ISP in the US use multiple gateways for the same user. IP reusing will also generate many false positives, and on top of that multiple windows on the same machine may also issue alerts.
I know. So I wrote this: http://guardian.jumperz.net/manual/en/body100.html
And to make things event more complex, half of the sessions our there are not cookie based at all.... jsessionid is usually used as a query parameters, while other technologies re-write the URL to maintain sessions.
I know. Guardian supports that situation. Guardian supports the following 4 types. 1. Session ID in Cookie --------------------------- GET /foo HTTP/1.0 Cookie: sessionid=12345 User-Agent: Mozilla --------------------------- 2. Session ID in parameter in URL --------------------------- GET /foo;sessionid=12345 HTTP/1.0 User-Agent: Mozilla --------------------------- 3. Session ID in query in URL --------------------------- GET /foo?bar=baz&sessionid=12345 HTTP/1.0 User-Agent: Mozilla --------------------------- 4. Session ID in query in HTTP request body --------------------------- POST /foo HTTP/1.0 User-Agent: Mozilla Content-Type: application/x-www-form-urlencoded Content-Length: 23 bar=baz&sessionid=12345 --------------------------- Thanks. -- Kanatoko<anvil () jumperz net> Open Source WebAppFirewall http://guardian.jumperz.net/
Current thread:
- [tool] Guardian () JUMPERZ NET : Detecting session hijack Kanatoko (Feb 02)
- <Possible follow-ups>
- RE: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ofer Shezaf (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Kanatoko (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ivan Ristic (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ivan Ristic (Feb 06)