WebApp Sec mailing list archives
Re: Login credentials and session id security
From: Javier Fernández-Sanguino <jfernandez () germinus com>
Date: Mon, 13 Aug 2007 20:15:19 +0200
David Wall dijo:
Keep in mind that hidden input fields are visible to the user (view page source), so if it's their credentials, then no problem, but they can be viewed and re-used if that's a design issue.
Notice that hidden input fields might also be stored locally on the client side, which means that they might be visible even if the browser has exited. Swap areas and browser's caches can be a way to extract these hidden input fields even if the user is no longer working at the system. Caching is implemented client-side and the server can only "try" to force the client to not cache data (setting the corresponding Pragma: in the HTTP header or the HTML document) but some clients might not enforce this properly and leave your content right there, in the client's hard disk after they have exited their session.
Regards Javier ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack AttacksHackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- Re: Login credentials and session id security Javier Fernández-Sanguino (Aug 15)
- <Possible follow-ups>
- Re: Login credentials and session id security pagvac (Aug 16)