WebApp Sec mailing list archives
Re: [WEB SECURITY] Sesion hijacking impossible with SSL client authentication?
From: ed <edvuln () s5h net>
Date: Sun, 26 Nov 2006 21:56:29 +0000
On Tue, 21 Nov 2006 18:12:32 +0200 "Boaz Shunami" <BoazS () comsec co il> wrote:
Hi Holger, An attacker having a valid client certificate will most probably be able to perform session hijacking on most or all current-day web applications. This stems from the fact that for each session, the private certificate must be validated; which will not be the case for most current-day 2FA systems.
do you mean web session, as yes this is very possible if you get the cookie value. the SSL is just for socket layer transmission. not for web variable validation/security. that's totally dependent on how the webserver implements this. -- Regards, Ed :: http://www.s5h.net :%s/ /\t/g :: proud unix system person :%s/Open Source/Free Software/g ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan 7.0 is the market-share leading web application s ecurity scanner and is trusted by more security professionals to provide the visibility and control required to address this critical challenge. See for yourself. Download a Free Trial of AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Sesion hijacking impossible with SSL client authentication? Boaz Shunami (Nov 25)
- Re: [WEB SECURITY] Sesion hijacking impossible with SSL client authentication? ed (Nov 27)