WebApp Sec mailing list archives
RE: How can i protect against session hijacking?
From: "Debasis Mohanty" <debasis.mohanty.listmails () gmail com>
Date: Thu, 2 Apr 2009 21:42:25 +0530
Not sure if I have understood you correctly or I am bit off here; Can you explain what you mean by - "simply gaining control of, or being able to generate, the session token (which is clearly a form of session hijacking)" ? " I failed to understand here how someone can simply gain control over the session without relying upon any other attack? Regarding " generate, the session token " - if the session is guessable or can be generated by session pattern analysis then it is clear case of weak session issue. Isin't it weak (or predictable) session issue is different from session hijacking? In other words, here session hijacking is possible provided the adverse user is successfully able to guess/predict the sessions. -d ________________________________________ From: David Scholefield [mailto:david () port80 com] Sent: 02 April 2009 13:55 To: Debasis Mohanty Cc: 'Tommy'; webappsec () securityfocus com Subject: Re: How can i protect against session hijacking? On 30 Mar 2009, at 21:18, Debasis Mohanty wrote: Session hijacking is not a vulnerability by itself; a malicious user has to rely upon other vulnerabilities like XSS and related attacks to gain access to victim's session. This isn't really accurate in my opinion - consider the case when a session token is used as the only identification and authentication mechanism that controls access to protected resources. In this instance, simply gaining control of, or being able to generate, the session token (which is clearly a form of session hijacking) will lead to data compromise without any other form of attack. This is sometimes achievable by simply manually creating a token within a HTTP request. Session hijacking - on it's own - is a serious vulnerability that may require no other vulnerability to enable exploitation to take place. ---- Dr David Scholefield, CISSP, OPST, MBCS 07525 624 997 www.port80.com Security in a connected world
Current thread:
- RE: How can i protect against session hijacking? Chris Grove (Apr 01)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 01)
- Re: How can i protect against session hijacking? Justin Clarke (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- Re: How can i protect against session hijacking? Adam Todorski (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Message not available
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- Message not available
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? Rohit Sethi (Apr 02)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- New WebApp security paper: Anit-fraud Image Solutions WebAppSec (Apr 29)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- Re: How can i protect against session hijacking? Just1n T1mberlake (Apr 06)