RE: [WEB SECURITY] Sesion hijacking impossible with SSL client authentication?

["Boaz Shunami" <BoazS () comsec co il>]

Hi Holger,

An attacker having a valid client certificate will most probably be able
to perform session hijacking on most or all current-day web
applications. This stems from the fact that for each session, the
private certificate must be validated; which will not be the case for
most current-day 2FA systems.

Regards,

Boaz Shunami
Senior Security Consultant & Project Manager
Comsec Consulting      
Office: +972-3-9234646 ext. 220
Mobile: +972-52-4762230
e-mail: BoazS () Comsec co il
Web: http://www.ComsecGlobal.com
"The Art of Securing Your Business"
This e-mail message from Comsec Consulting and any attachments thereto
contain confidential and privileged information and are for the sole use
of the intended recipient(s). If you are not the intended recipient, you
are not authorized to use, disclose, copy, distribute, or retain this
message or any part of it and you are asked to contact the sender by
reply e-mail and destroy all copies of the original message.


-----Original Message-----
From: Holger.Peine () iese fraunhofer de
[mailto:Holger.Peine () iese fraunhofer de] 
Sent: Tuesday, November 21, 2006 2:47 PM
To: websecurity () webappsec org; webappsec () securityfocus com
Subject: [WEB SECURITY] Sesion hijacking impossible with SSL client
authentication?

Hello,

I am familiar with session hijacking by stealing the victim's
session id and inserting that into an attacker's request. This works
just as well with "normal" SSL (i.e. server authentication only),
since the client is still authenticated by its session id only.

However, what happens when SSL with client authencation (i.e. with
a client certificate) is used? When the attacker sends their first
request with the stolen session id, a new SSL handshake is performed.
Doesn't the server require a matching client certficate in the course
of this handshake (which would make the handshake fail, and the stolen
session id useless)? Or is the client certficate validated only once
per session (but that would mean that the SSL server implementation 
would have to check if a valid session id is contained in the request,
which looks highly improbable to me, since that would confuse the 
differet protocol layers of SSL and the application)?

Thanks for your replies,
Holger Peine

-- 
Dr. Holger Peine, Security and Safety
Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany
Phone +49-631-6800-2134, Fax -1899 (shared)
PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE
2BBB C126 A592 48EA F9F8

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
**************************************************************************************************
The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** eSafe scanned this email for viruses, vandals and malicious content. **
**************************************************************************************************


-------------------------------------------------------------------------
Sponsored by: Watchfire

Pen testers and security consultants, automate more of what you do
manually today. Features that include Privilege Escalation Testing,
Validation Highlighting and Reasoning, and advanced testing utilities that
complement your manual efforts are just a few of the reasons why Watchfire
AppScan 7.0 is used by more application security professionals than any
other solution. Want to know more? Try AppScan for yourself.

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------