WebApp Sec mailing list archives
Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications
From: "Sverre H. Huseby" <shh () thathost com>
Date: Thu, 19 Dec 2002 20:45:48 +0100
| ACROS Security is pleased to announce the publication of a | security paper about a new class of attacks on web-based | applications that we named "session fixation" attacks. Very interesting. Particularly the part where one can include the session ID in a URL, as it doesn't depend on other bugs (such as XSS) in the target web site. The paper is also very well written. The whole thing reminds me of something a friend pointed me to a couple of weeks ago: Using the same session id on both unencrypted and encrypted communication. Many web sites let you start with plain HTTP, and switch to HTTPS as soon as you want to log in. If someone sniffs the victim's session ID before the victim logs in over HTTPS, that someone may, in many cases, use that very same session ID to impersonate the victim after he has been authenticated. The solution is, as with session fixation, to invalidate the session (and create a new one) when switching from unauthenticated to authenticated user. Well, merry Christmas and so on to everybody! Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications Mark Curphey (Dec 18)
- Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications Sverre H. Huseby (Dec 19)
- Re: Security Paper: Session Fixation Vulnerability in Web-based Applications Bill Pennington (Dec 19)
- <Possible follow-ups>
- Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications Craig_Sullivan (Dec 20)
- Re: Fwd: Security Paper: Session Fixation Vulnerability in Web-based Applications Sverre H. Huseby (Dec 19)