|
WebApp Sec
mailing list archives
Re: Hijacking URL Encoded Session IDs using Referer Logs
From: Bob Lee <crazybob () crazybob org>
Date: Mon, 25 Nov 2002 08:32:49 -0600
Many (most?) application servers use URL encoded session IDs when the
user has disabled cookies. Many users disable cookies as a security
precaution. There should be an advisory on this so that application
server vendors stop allowing URL encoded session IDs by default.
If you can post an interesting link to a site, you can hijack the
sessions of users with cookies disabled, and no one would be the wiser.
Does hotmail or yahoo use URL session IDs? E-mail someone a link to
your site and hijack their e-mail account. In the scope of this attack,
they'd have no way to tell that you stole it.
Also a good reason to use HTTPS.
Bob
On Monday, November 25, 2002, at 07:48 AM, zeno wrote:
Not to my knowledge. I guess the question would be why would you store
the session id in a users url? I suppose
people who are to lazy to learn about cookies and don't mind having
the ID logged on the server side.
Not to mention its *possible* that this id can be saved by a webspider
and archived. If using cookies to store
these id's you won't have to worry about this problem. (unless there
is a new super spider which logs cookies
that I am unaware of in production use?)
- zeno
Is there anything on CERT about the fact that URL encoded session IDs
get passed to referenced sites in the HTTP referer header?
Thanks,
Bob
 By Date 
By Thread
Current thread:
|
Intro
