WebApp Sec: Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"

From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 08 Jan 2005 00:47:21 +0100

* Jim Weiler:

Couldn't the secret be any unpredictable value that the server can
come up with, like a GUID or the timestamp of the user login, and
not something that uses encryption?


Yes, and a HMAC provides that.  You have to make the value depending
on the web application user (and preferably the time), otherwise users
could attack each other.  Of course, you can also use a decent PRNG to
generate a token, and store it in the user's session object on the
server side.  But this might be more complicated to implement.

A HMAC is not really encryption---but thanks to chaffing and
winnowing, all authentication schemes also permit encryption, albeit
with a significant overhead.

By Date By Thread

Current thread:

RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Weiler, Jim (Jan 07)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Florian Weimer (Jan 08)
  - Google Hacking and SiteDigger 2.0 Kartik Trivedi (Jan 10)
    - Re: Google Hacking and SiteDigger 2.0 GuidoZ (Jan 14)