WebApp Sec mailing list archives
RE: How to create (hijacking) secure HTTP sessions?
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 7 Jun 2006 14:37:01 -0500
Do not mix SSL sections with non-SSL sections.What do you mean by this?Mark cookies "secure".Thanks for that point!
I believe he means don't mix encrypted and unencrypted content in the same security domain. Some folks take images and other high-overhead items and *do not* encrypt them for performance reasons, but keep them in the same FQDN/security zone/domain e.g.--www.domain.com/ Problem is, if your session token is a cookie, or anything else the browser automagically coughs up, then a call to: http://www.domain.com/non-SSL-speedy-content Will potentially pass sensitive info in the clear, like the user session token if token=cookie. Marking cookies =secure means that the browser shouldn't pass them in clear if a mistake like this is made, but I haven't tested that on anything but IE. -ae ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- Re: How to create (hijacking) secure HTTP sessions?, (continued)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Nathan Keltner (Jun 08)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Rogan Dawes (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? stefano (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)