WebApp Sec: Re: post to bugtraq about "session fixation"

[Alex Russell <alex () netWindows org>]

On Wednesday 18 December 2002 15:18, Kevin Spett wrote:
> If the session management implementations of web application servers
> (JRun and PHP are mentioned) allow users to specify session IDs, I would
> consider it a legitimate problem. 
Perhaps, but there are a lot of other requisite mistakes needed for this to 
be an issue, such as:

        * the app must accept the SAME session IDs across both secured and 
unsecured interactions
        * the app must not change the session id on a per-page or per-action basis
        * the app must not issue another "action specific" nonce to be used in 
conjunction with the session ID to validate for sensitive actions

> Lots of people rely on the
> vendor-supplied APIs for session management.  If they had framed it more
> as a potential weakness in web app design more than a revolutionary new
> attack technique it would've been better.  I agree that the severity and
> practicality of the attacks described in the paper have been exaggerated,
> but saying it's marketting and nothing more is a little harsh. 
I agree. For sites that have the multitue of problems necessaray to exploit 
this, it's a serious issue.

> Sure,
> they took liberties saying that it's a widespread new type of attack, but
> if they were going for pure marketting, they'd end up with something like
> this:
> http://www.forescout.com/e-tourinteractive10.html 
My favorite claim in that flash marketing trainwreck: "Active scout blocks 
all attacks, even the unknown ones". And we wonder why people find it hard 
to trust security vendors...sigh...

-- 
Alex Russell
alex () netWindows org
alex () SecurePipe com