Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: George Capehart <gwc () CAPEHASSOC COM>
Date: Wed, 27 Dec 2000 13:17:27 -0500
Drew Simonis wrote:
Mark Curphey wrote:IMHO - Hidden Form Fields, isn't that like security by obscurity (maybe I don't understand how they work right) ? Sure you can set the no cache option in the http header but doesn't the session status ID (whatever you pass as the form field value) just sit on the client machine ready to be replayed ?No, the point that Robert was making (which is a good one) is that sometimes the URL, with the appended sessionid, might be logged to another server. In cases where the HTTP_REFERER is logged, hidden fields wouldn't be captured, since they aren't part of the URI. Alas, your point is also valid. Hidden fields are generally no more a secure solution than a GETish URI when used by itself. My earlier point (added to by Philip) is still, IMO, the best bet. Make sure whatever information you use to maintain state is of little use later in life. Your main concerns are not only the danger of a replay attack, but also of information leaks. Both nasty things to have to deal with...
Seems to me that there are ways to make the hidden field reasonably secure. The main reason to use a hidden field is not to provide a priori security for the contents of the field. It is primarily a way to keep from cluttering up the page with information that is not immediately useful to the viewer. Data in the field can be protected by encrypting it . . . and adding a nonce to the contents to detect a replay attempt, a MAC to detect tampering, etc. The problem is that many people, myself included, will simply not use a site that requires cookies. That pretty much means that if it's *really* important to the business unit that they not lose their customers, using a hidden field or something like that is pretty much necessary. Anyway, that's my $0.02. -- George W. Capehart PCS Phone: +1 704.277.4561 Fax: +1 704.853.2624 Capehart Associates LLC 1604 Nottingham Drive To send a text message: Gastonia, NC 28054 http://www.messaging.sprintpcs.com Meskimen's Law of Quality: "There's never time to do it right, but there's always time to do it over."
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)