Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: Security Paper: Session Fixation Vulnerability in Web-based Applications
From: Bill Pennington <billp () boarder org>
Date: Thu, 19 Dec 2002 13:56:07 -0800
Not to be an "I told you so" or anything since I didn't really tell anyone except the guys at SPI Dynamics but I noticed that problem (the reuse of session IDs between non-ssl and SSL sessions) about 3 years ago. It particularly was evident in BroadVision based applications. BroadVision released a paper to there clients I believe.
It really only became a big problem if the app echoed information back to the client. You could get CC info from active sessions pretty easily on some very large BroadVision based sites. If it didn't echo info you where kinda limited in your attack. On most apps i tested you could just add or remove stuff to peoples carts, while funny I did not think it was that big of an issue. 



On Thursday, December 19, 2002, at 11:45 AM, Sverre H. Huseby wrote:


|   ACROS Security is pleased to announce the publication of a
|   security paper about a new class of attacks on web-based
|   applications that we named "session fixation" attacks.

Very interesting.  Particularly the part where one can include the
session ID in a URL, as it doesn't depend on other bugs (such as XSS)
in the target web site.  The paper is also very well written.

The whole thing reminds me of something a friend pointed me to a
couple of weeks ago: Using the same session id on both unencrypted and
encrypted communication.  Many web sites let you start with plain
HTTP, and switch to HTTPS as soon as you want to log in.  If someone
sniffs the victim's session ID before the victim logs in over HTTPS,
that someone may, in many cases, use that very same session ID to
impersonate the victim after he has been authenticated.  The solution
is, as with session fixation, to invalidate the session (and create a
new one) when switching from unauthenticated to authenticated user.

Well, merry Christmas and so on to everybody!


Sverre.

--
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]