Re: How to create (hijacking) secure HTTP sessions?

[ascii <ascii () katamail com>]

Robin Wood wrote:
> What happens if your users are using proxies which change over the
> period of the session, such as AOL. This approach would stop them from
> using your system.

i think the answer is in the message you replied : )

> On 6/3/06, ascii <ascii () katamail com> wrote:
> > this should play better on https then on http because commonly ssl
> > connections are direct (while some isp split the http traffic over
> > different proxy servers and several public ips)

does AOL proxy https traffic? normally your browser open an ssl
connection directly with the server

the other option is to use a proxy with the CONNECT request method
enabled to tunnel the ssl channel (but the proxy cannot cache the
traffic, so no cache acceleration)

if this happen and the proxy change then a solution is to exclude the
ip class from the ip check

naturally you have to see the context, if your webbapp doesn't apply for
a particular check don't do that particular check

Regards, Francesco 'ascii' Ongaro - http://www.ush.it/

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------