WebApp Sec mailing list archives
RE: How can i protect against session hijacking?
From: "Debasis Mohanty" <debasis.mohanty.listmails () gmail com>
Date: Tue, 31 Mar 2009 01:48:35 +0530
Are there other fail-safe options, to make sure a users session CAN NOT be hijacked even if the web application is vulnerable to Cross-Site- Scripting, AND the users computer is infected.
It is like asking if you keep your car's window open with keys intact is there a solution that can still prevent intruders stealing your car? The answer is Yes and No aswell. The "Yes" part comes with a bit more expensive solutions (Sol1: fingerprint scanners, Sol2:Voice operated start device etc) and "No" is well understood... Ideally if you already have made sure the car's windows are shut and keys are with you while you park your car then you have fairly limited the chances of your car getting stolen. The bottom line here, security is all about a layered approach and it is better and stronger if every layer is hardened at its core... However, first thing first - try to fix things which can leads to the damage. Session hijacking is not a vulnerability by itself; a malicious user has to rely upon other vulnerabilities like XSS and related attacks to gain access to victim's session. Hence, the focus should be first on fixing the actual vulnerabilities and any additional measures will help improve the overall security. Surprisingly, there is another simplest method to prevent stolen session being reused but sadly I don't find many applications using it. To prevent stolen sessions/cookies from reuse, make sure there can be only one instance of a particular active user session and any attempt to re-use the session/cookies should dis-allow the other user from using it. Additionally, make sure sessions expire the moment the user logs out, directly closes the browser or idle for some period of time. -d -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tommy Sent: 27 March 2009 20:33 To: webappsec () securityfocus com Subject: How can i protect against session hijacking? Gents, Im having a conundrum, that might tickle your fancy. How can you efficiently prevent session hijacking ? The problem: -------------- User sessions are most often kept through cookies (one or multiple cookies). We all know how dangerous Cross-Site-Scripting attacks can be in this case, when this piece of information is hijacked. If an attacker gets hold of the end users cookies (through XSS and so forth), how can you actually prevent session hijacking? The pros and con list: ------------------------------ PROS: Client certificates installed on the client machine can be used CONS: This certificate can be stolen if the computer is infected, right ? PROS: Using the clients Remote IP address as validation. CONS: This can in some cases not be used due to internet proxies(NATing), and firewall load balancing and shared gateway IPs etc. PROS: Using SSL so cookie-information is not cached or leaked in any way. CONS: None i recon ..?Besides rendering IPS/IDS systems useless PROS: Setting cookies with the HTTPOnly flag. CONS: Can be bypassed, and not all web browsers support the use of HTTPOnly. PROS: Using client fingerprinting like Browser User Agent, java version etc. CONS: Can be manipulated, and will prevent the user from using multiple browsers within a short timeframe. PROS: Regenerating cookie information often, or on each request. CONS: The "back button" will not work, and is probably not a fail-safe solution. Are there other fail-safe options, to make sure a users session CAN NOT be hijacked even if the web application is vulnerable to Cross-Site-Scripting, AND the users computer is infected. Or at least other techniques that will make session hijacking in general, harder .. that does not rely upon IP addresses?. Sincerely, Tommy -- http://www.fastmail.fm - Does exactly what it says on the tin
Current thread:
- How can i protect against session hijacking? Tommy (Mar 27)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- RE: How can i protect against session hijacking? Debasis Mohanty (Mar 31)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 28)
- RE: How can i protect against session hijacking? Brian Shura (Mar 28)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)