WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [WEB SECURITY] Sesion hijacking impossible with SSL client authentication?

From: ed <edvuln () s5h net>
Date: Sun, 26 Nov 2006 21:56:29 +0000
On Tue, 21 Nov 2006 18:12:32 +0200
"Boaz Shunami" <BoazS () comsec co il> wrote:


Hi Holger,

An attacker having a valid client certificate will most probably be
able to perform session hijacking on most or all current-day web
applications. This stems from the fact that for each session, the
private certificate must be validated; which will not be the case for
most current-day 2FA systems.


do you mean web session, as yes this is very possible if you get the
cookie value. the SSL is just for socket layer transmission. not for web
variable validation/security. that's totally dependent on how the
webserver implements this.

-- 
Regards, Ed                      :: http://www.s5h.net
:%s/  /\t/g                      :: proud unix system person
:%s/Open Source/Free Software/g

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan 7.0 is the market-share leading web application s
ecurity scanner and is trusted by more security professionals to provide 
the visibility and control required to address this critical challenge.
See for yourself. Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: