Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Is logoff feature necessary

RE: Is logoff feature necessary

From: M. Burnett <mb_at_xato.net>
Date: Tue, 2 May 2006 09:42:08 -0600

Sure, you can terminate the session by closing the browser, and many people
do this, but what happens if you don't close the browser but just move on to
another web site? It would be pretty simple to use the back button or
perhaps something like a cross-site scripting attack to pick up a session
token.

Or what if you are using a tab-based browser and just close the tab rather
than closing the browser itself? Will the session still end?

The main reason I like providing a logoff button is to force a token to
invalidate for those times you want to be sure you are logged off--such as
when using a shared pc. There are things attackers can use, such as token
keep-alive techniques, combined with other techniques, that allow them to
take over an old session. Forcing a session to die helps protect you if
someone else somehow got your session token. And there are many, many ways
that others can obtain your session token.

Having said all that, even if the developer added a logoff button, I suspect
that few users would actually use it. And there are many techniques to help
secure sessions tokens even if someone doesn't explitely log off. For
example, session tokens should always have relative as well as absolute
timeouts to prevent someone from keeping a session alive indefintely.

Allowing a log off is not going to stop attacks that target session tokens.
But then again, is it really that hard to add a button?

Mark Burnett

> -----Original Message-----
> From: test.future_at_gmail.com [mailto:test.future_at_gmail.com]
> Sent: Tuesday, May 02, 2006 1:41 AM
> To: webappsec_at_securityfocus.com
> Subject: Is logoff feature necessary
>
> We have a web applicaiton which do not have logoff button.
> The developer claims that it is unnecessary, since the
> session can be terminated by closing the browser. Is it
> correct? Thanks.
>
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks Hackers
> continue to add billions to the cost of doing business online
> despite security executives' efforts to prevent malicious
> attacks. This whitepaper identifies the most common methods
> of attacks that we have seen, and outlines a guideline for
> developing secure web applications.
> Download this whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70130
0000007t9r
> --------------------------------------------------------------
> ------------
>

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Received on May 03 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]