Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: (ip session tracking) Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

RE: (ip session tracking) Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

From: <mattyml_at_bellsouth.net>
Date: Fri, 31 Dec 2004 20:26:45 -0500 (EST)

On Wed, 22 Dec 2004, Evans, Arian wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
>> -----Original Message-----
>> From: Joseph Miller [mailto:joseph_at_tidetamerboatlifts.com]
>>
>> On Monday 20 December 2004 12:17 pm, Elihu Smails wrote:
>>> I agree with the comments that there is a problem on
>>> the development end that session management is
>>> lacking. I am a developer, I can say this.:)
>>
>>
>> Much discussion has been given in this list about tracking a
>> client IP as a
>> method of verifying credentials. It has been determined by
>> the list that this is generally a poor practice
>
> I simply don't understand how this keeps coming up. Anyone
> who's spent even a brief period of time dealing with state
> on any enterprise application knows the pitfalls of this.
>
> Yet another reason we should be focusing our efforts on
> documenting proper state and session management.

Have you see any resources that document proper state managment
techniques.? I have read numerous various books and white papers, but have
yet to find a resource that gets the big picture. Any URLs/Books
you can post that cover proper session/state management would be
beneficial.

>
> If basic issues like IP tracking are still misunderstood by
> people on *this* list...what's the rest of the world like?
>
> While it may be argued that the "session riding" whitepaper
> stimulated this conversation, the power-point friendly orientation
> of the web application security industry appears to have
> created an environment where one is rewarded more for new
> "vulnerability finds" (e.g.-"Session Castling") than for
> creating thorough standards and practice documentation.
>
> If I am wrong, someone stand up and shout "I'll take Uninformed
> Opinions for $1000, please", point me to resources I have
> missed, and I will shutup.
>
>
> Arian
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQA/AwUBQcmyLTw+XG8chAQiEQJGngCcDA1R3NPBd0o1uXnwiN07ky7JVxUAmwVP
> MKf7R9WBp7jXMS5MkoFWFN2V
> =nNYx
> -----END PGP SIGNATURE-----
>
>
>
> The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
> Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
> other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
> in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
>
>
Received on Jan 02 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]