WebApp Sec mailing list archives
Re: How can i protect against session hijacking?
From: David Scholefield <david () port80 com>
Date: Fri, 3 Apr 2009 09:41:46 +0100
On 3 Apr 2009, at 05:58, AF wrote:
Debasis Mohanty wrote:So in your opinion if an application is vulnerable to one XSS but an adverse can exploit the XSS to do 10 different malicious operations, then the app isvulnerable to 10 issues not 1 XSS?? Won't it give a misleading/vagueassessment of vulnerability? No offence but I have seen this before in many fake consultants reports where they try to blow up an XSS and exploit inmore than one ways to increase the vulnerability count in an report. -dTypical. automated web assessment tools reporting 300 critical vulnerabilities...all located in one URL, one parameter. Result: a 500-pages report that makes the client suffer just as he sees it.
The answer is not to use automated tools for web security assessment! To be fair, I've seen a number of tools that don't generate bogus 'sub' vulnerabilities, but in general you get what you pay for, and expertise is expensive. ---- Dr David Scholefield, CISSP, OPST, MBCS 07525 624 997 www.port80.com Security in a connected world
Current thread:
- Re: How can i protect against session hijacking?, (continued)
- Re: How can i protect against session hijacking? Justin Clarke (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- Re: How can i protect against session hijacking? Adam Todorski (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Message not available
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- Message not available
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? Rohit Sethi (Apr 02)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- New WebApp security paper: Anit-fraud Image Solutions WebAppSec (Apr 29)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- Re: How can i protect against session hijacking? Just1n T1mberlake (Apr 06)