WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Insecure Ids - Need explanation

From: "Rod Divilbiss" <rod () rodsdot com>
Date: Mon, 17 Apr 2006 13:24:52 -0500
Assume a user authenticates and the web application keeps track of the
status of being authenticated by using a session variable. The user will
likely receive a session cookie with a unique ID as a way to associate the
disconnected user to the web application session.

If then, the application allows the user to perform a powerful action
without reauthenticating, there is the risk of a "man-in-the-middle" attack,
where an attacker uses the same session cookie ID to attempt to hijack the
user's authenticated status.  SSL will help prevent interception off the
wire, but if the value is easy to predict an attacker may still be able to
guess a value to use in the attack.

Similarly, some applications may use a hidden form field or a URL parameter
to identify a disconnected user.  These may also easy for an attacker to
guess.

Even if these obviously bad methods are not used, some id or key will be
used to associated the user to the web application. If an attacker can guess
the id or key it becomes more likely the attacker can attempt to impersonate
the user.

Regards,
Rod



-----Original Message-----
From: susam_pal () yahoo co in [mailto:susam_pal () yahoo co in] 
Sent: Monday, April 17, 2006 11:19 AM
To: webappsec () securityfocus com
Subject: Insecure Ids - Need explanation

This is an extract from OWASP.

Insecure Id's - Most web sites use some form of id, key, or index as a way
to reference users, roles, content, objects, or functions. If an attacker
can guess these id's, and the supplied values are not validated to ensure
the are authorized for the current user, the attacker can exercise the
access control scheme freely to see what they can access. Web applications
should not rely on the secrecy of any id's for protection. 

=================================================
Can anyone please elaborate this part,

"If an attacker can guess these id's, and the supplied values are not
validated to ensure the are authorized for the current user, the attacker
can exercise the access control scheme freely to see what they can access."

I have never used such ids, indexes or keys when I developed authentication
systems to reference users or roles. What kind of ids or keys are we talking
about? How can an attacker use a guessed id?

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world examples
of recent hacking methods such as: SQL Injection, Cross Site Scripting and
Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------


-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: