Hosting Provided By

Re: Hijacking URL Encoded Session IDs using Referer Logs

From: Bob Lee <crazybob(at)crazybob.org>
Date: Mon Nov 25 2002 - 10:40:57 EST

One, I could have missed it, but I don't see anything in the owasp security guide advising application developers to disable URL encoded session IDs.

Two, you can't tie the origin of the the request (the IP address) to the session for reasons that have been discussed here time and time again.

Three, expiring sessions in a "timely" manner accomplishes nothing. 0 seconds is the only safe timeout. A cracker could write a program that monitors the HTTP referrer headers and e-mails her (hell, pages her) as soon as it sees something that looks like a session ID.

Four, most people worry about XSS attacks. Many sites (and web mail clients) allow links, and they also support URL-based session IDs. The *only* reason I bring this up is that I've seen examples of issue in my referer logs.

Bob

Jeff Dafoe wrote:

>>Many (most?) application servers use URL encoded session IDs when the
>>user has disabled cookies. Many users disable cookies as a security
>>precaution. There should be an advisory on this so that application
>>server vendors stop allowing URL encoded session IDs by default.

>
>
> If the sessions in a particular app are that easy to hijack then the
Received on Mon Nov 25 13:12:42 2002

This message: [ Message body ]
Next message: ONEILL David J: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
In reply to Jeff Dafoe: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Next in thread: Jeff Dafoe: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Reply: Jeff Dafoe: "Re: Hijacking URL Encoded Session IDs using Referer Logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT

Do you need help?