Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Session Hijacking over HTTP
From: "Christophe Vandeplas" <christophe () vandeplas com>
Date: Wed, 19 Mar 2008 09:02:35 +0100

On 3/18/08, 11ack3r <11ack3r () gmail com> wrote:
Hello Everyone,

 I was curious to know how would webmail portals like gmail.com and
 yahoo.com protect their users from session hijacking when they use
 HTTP after authentication.

I don't exactly know about how they do it, but there are clever ways
to lower the risk of being exploited by storing client-information in
the server-side session.

This way when an attacker hijacks the session he should also spoof
that information. This lowers the chance of being attacked, but should
not be considered as safe as SSL (like the others said).

Example: Store in the server-side session information like:
- session id
- IP addr of client
- user-agent string (or part of the string)

If you notice that the session-id is the same, but these variables are
different there is a high risk of having a hijacked session.

Nice things you can also do are sending an http-redirect to
http://en.wikipedia.org/wiki/Session_Hijacking . The attacker _wil
know_ that _you know_ what he's doing. He also knows you are probably
logging these events and might even have a triggered alert. Most of
the attackers will stop trying here.

Another nice thing to do is to alert the real user that there were
security issues and that he should re-login to verify his identity.
Please only do this when logging in over a secure connection, you
don't want to give a sniffing attacker the real password of the
account :-)

We did implement this for a proof of concept. And the reaction of the
audience was nice when seeing a) the redirection and b) the alert at
the real-user-side.


This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]