Re: Hijacking URL Encoded Session IDs using Referer Logs

And ... Unless one would want to limit potential users from being able to access the website, one would never assume that the session ID could be stored in a cookie.

David J. O'Neill
NEDSS - IS7
Parkway Bldg., 2nd Floor
Phone: (503) 378-2101 ext. 364
FAX: (503) 378-2102
>>> crazybob@crazybob.org 11/25/02 06:59AM >>>
Many (most?) application servers use URL encoded session IDs when the user has disabled cookies. Many users disable cookies as a security precaution. There should be an advisory on this so that application server vendors stop allowing URL encoded session IDs by default.

If you can post an interesting link to a site, you can hijack the sessions of users with cookies disabled, and no one would be the wiser.

Does hotmail or yahoo use URL session IDs? E-mail someone a link to your site and hijack their e-mail account. In the scope of this attack, they'd have no way to tell that you stole it.

Also a good reason to use HTTPS.

Bob

On Monday, November 25, 2002, at 07:48 AM, zeno wrote:

> Not to my knowledge. I guess the question would be why would you store

                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
                                                                              
                                                                              
                                                                              
                                                                           

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek