<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

WebApp Sec: Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"

Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"

From: Florian Weimer <fw_at_deneb.enyo.de>
Date: Sat, 08 Jan 2005 00:47:21 +0100

* Jim Weiler:

> Couldn't the secret be any unpredictable value that the server can
> come up with, like a GUID or the timestamp of the user login, and
> not something that uses encryption?

Yes, and a HMAC provides that. You have to make the value depending
on the web application user (and preferably the time), otherwise users
could attack each other. Of course, you can also use a decent PRNG to
generate a token, and store it in the user's session object on the
server side. But this might be more complicated to implement.

A HMAC is not really encryption---but thanks to chaffing and
winnowing, all authentication schemes also permit encryption, albeit
with a significant overhead.
Received on Jan 09 2005

This message: [ Message body ]
Next message: GuidoZ: "Re: How to list all the URLs on a web server"
Previous message: michaelsilk_at_gmail.com: "Re: How to list all the URLs on a web server"
In reply to: Weiler, Jim: "RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications""
Next in thread: Kartik Trivedi: "Google Hacking and SiteDigger 2.0"
Reply: Kartik Trivedi: "Google Hacking and SiteDigger 2.0"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]