Hosting Provided By

Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications

From: Sverre H. Huseby <shh(at)thathost.com>
Date: Thu Dec 19 2002 - 14:45:48 EST

| ACROS Security is pleased to announce the publication of a

Very interesting. Particularly the part where one can include the session ID in a URL, as it doesn't depend on other bugs (such as XSS) in the target web site. The paper is also very well written.

The whole thing reminds me of something a friend pointed me to a couple of weeks ago: Using the same session id on both unencrypted and encrypted communication. Many web sites let you start with plain HTTP, and switch to HTTPS as soon as you want to log in. If someone sniffs the victim's session ID before the victim logs in over HTTPS, that someone may, in many cases, use that very same session ID to impersonate the victim after he has been authenticated. The solution is, as with session fixation, to invalidate the session (and create a new one) when switching from unauthenticated to authenticated user.

Well, merry Christmas and so on to everybody!

Sverre.

-- 
shh@thathost.com		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	
http://nerdquiz.thathost.com/

Received on Thu Dec 19 15:01:50 2002

This message: [ Message body ]
Next message: Sverre H. Huseby: "Re: XSS"
Previous message: Kevin Spett: "Re: SUMMARY modify non-persistent cookies and more q's"
In reply to Mark Curphey: "Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications"
Next in thread: Bill Pennington: "Re: Security Paper: Session Fixation Vulnerability in Web-based Applications"
Reply: Bill Pennington: "Re: Security Paper: Session Fixation Vulnerability in Web-based Applications"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT