WebApp Sec mailing list archives
Re: Login credentials and session id security
From: David Wall <dwall () yozons com>
Date: Fri, 08 Jun 2007 11:24:34 -0700
Keep in mind that hidden input fields are visible to the user (view page source), so if it's their credentials, then no problem, but they can be viewed and re-used if that's a design issue.
Also, GET requests submit their params on the query line, so they are often logged in web server logs, thus turning what may be SSL encrypted over the wire to cleartext in the web server log (or your own logs if you also record the URL used). They are also stored in the browser's cache.
HTTPS POST is your best bet for transferring data. If the user is tricked, then the credentials will be stolen (this is what phishing attacks are all about), but if the user goes to your web site over HTTPS and is paying attention, he should notice whether he's connected to your secure web server or not. If so, then a proxy on his end shouldn't matter. Some have used two-phase logins to help users detect phishing sites, but users who are tricked by such attacks probably won't be savvy enough to really appreciate the two-phase login. With two-phase login, the user first identifies himself without giving up the password, and the system responds with some data (picture, DOB or some user-chosen quotation are common) that it knows about the user, figuring that a phishing site won't know this and thus cannot provide that response before the user enters the password. Good luck. Please realize that most every e-commerce sites "suffer" from this, so it's not just your problem, but then remind yourself that banks, stock brokers, Amazon.com, Google Adwords, PayPal, etc. all have this issue, too, and they are very successful despite it all. Be sure to balance real risk with any solution that makes it harder to use. Banks don't make their customers go through metal detectors because the trade off in added security outweighs the atmosphere banks are trying to portray.
David ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack AttacksHackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- Login credentials and session id security Vishal Garg (Jun 06)
- Message not available
- Re: Login credentials and session id security Scott C. Sanchez (Jun 08)
- Message not available
- RE: Login credentials and session id security Ken Schaefer (Jun 08)
- Re: Login credentials and session id security AdityaK (Jun 08)
- Re: Login credentials and session id security Aman Raheja (Jun 08)
- Re: Login credentials and session id security Dean H. Saxe (Jun 08)
- Re: Login credentials and session id security Aman Raheja (Jun 10)
- Re: Login credentials and session id security Dean H. Saxe (Jun 08)
- Re: Login credentials and session id security James Landis (Jun 08)
- Re: Login credentials and session id security David Wall (Jun 10)
- Message not available
- Re: Login credentials and session id security Vishal Garg (Jun 08)
- Re: Login credentials and session id security matt farey (Jun 10)
- Re: Login credentials and session id security Scott C. Sanchez (Jun 10)
- Re: Login credentials and session id security James Landis (Jun 11)
- Re: Login credentials and session id security Vishal Garg (Jun 08)
- <Possible follow-ups>
- Re: Login credentials and session id security Shaon Diwakar (Jun 08)
- Re: Login credentials and session id security Shaon Diwakar (Jun 21)