Home page logo
/

pen-test logo Penetration Testing mailing list archives

history.dat replay attack
From: spammailme () gmail com
Date: 9 Nov 2006 18:45:00 -0000

All –

Next during a PT it was discovered the browser history stored fully qualified domain and URI (ie. 
www.example.com/secure/login.do?session=UYUYFIBV876760760hGUYGU)

Which can be extracted and replayed in another browser. There is a default timeout as a control yet I want to have it 
removed when session is terminated. It was still there after the browser was closed AND replayable.

Any possible solutions to this issue

First does anyone the windows equiv the *nix history.dat? What is the file name (ntuser.dat?) or path?

Thx
- Don

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault