|
WebApp Sec
mailing list archives
How to protect against cookie stealing?
From: "Phil Cox" <Phil.Cox () SystemExperts com>
Date: Wed, 23 Jul 2003 22:33:45 -0700
All,
I have a question on how people are handling cookie stealing and session
segregation. For example, it is possible to use session cookie information
on multiple systems for most (all?) web applications I know of. Here is a
scenario:
When a user logs in he is assigned a BLAH_SESSIONID cookie which serves as
an authorization mechanism in the application. The application does not
associate the cookie to any session-specific information (e.g., source IP
address), so another user can also use the BLAH_SESSIONID cookie to access
the same information (over a different TCP/IP session) that the legitimate
user can. If an attacker obtains, or guesses a valid BLAH_SESSIONID cookie
for an active session, he can use it without the user's knowledge. For
example, I was able to execute the following command using an BLAH_SESSIONID
that was obtained from another session: Command on Linux box:
# curl -b "BLAH_SESSIONID=0000FDHTNLVY5WX"
https://somesite.com/App/Function?
Returns the page: (some portion of the returned page)
Historically I have believed that having the application associate the
BLAH_SESSIONID session cookie and its associated privileges with a specific
SSL session or source IP address would prevent this session stealing. But
recently I have been told that this solution does not work because of the
dynamic IP nature of MANY ISP's and the disassociation of SSL/HTTP. I would
like to know what others are doing to solve this problem, or if they are
just not solving it at all.
Thoughts and comments are appreciated...
Phil
 By Date 
By Thread
Current thread:
- How to protect against cookie stealing? Phil Cox (Jul 24)
|
Intro
