WebApp Sec mailing list archives
Re: How can i protect against session hijacking?
From: Justin Clarke <justin () justinclarke com>
Date: Thu, 02 Apr 2009 10:14:34 +0100
One possibility is the WAF tying the session cookie to the SSL session - i.e. The session information is internally related in the WAF to a single known SSL session, and therefore you shouldn't be able to use that session identifier from another machine, or even from another browser on the same machine. No idea how problematic this is in practice - some of the solutions included in the RFI we ran for a client recently noted this capability. Would be interested if anyone has ever seen this work. Justin On 02/04/2009 07:02, "Martin O'Neal" <martin.oneal () corsaire com> wrote:
Try installing a Web Application Firewall (WAF) that prevents attacks like this, there are several on the market...LOL; this I want to hear. Explain how a WAF addresses: "If an attacker gets hold of the end users cookies (through XSS and so forth), how can you actually prevent session hijacking?" Oh, and just to be specific, in this scenario the relevant bit is the session hijacking; the cookies and session ID are already lost via some mechanism (which isn't of interest). Martin...
Current thread:
- RE: How can i protect against session hijacking? Chris Grove (Apr 01)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 01)
- Re: How can i protect against session hijacking? Justin Clarke (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- Re: How can i protect against session hijacking? Adam Todorski (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Message not available
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- Message not available
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- Re: How can i protect against session hijacking? AF (Apr 03)