WebApp Sec mailing list archives
IIS 5.0 Session Hijacking Question
From: "Robin Fordham" <rfordham () bha com>
Date: Tue, 23 Sep 2003 08:04:13 -0500
Hi. I hope this is the right place to direct this kind of question, if not please let me know where I should direct it to. Thanks... I recently participated in a web cast about web security and it mentioned free tools available that allowed you to aggressively test your web apps. The one that I am currently using is Paros3.0. I used it to successfully hijack a session on an app that I am building, but only because I logged in twice, first as an administrator-type user and second as a read-only user and so could see both session IDs, allowing me to swap them around to perform the session hijack. Does this still mean my app is not secure "enough"? My main question is, is it possible for an intruder to be able to obtain a list of session IDs present on the (Win2000sp4 - IIS5.0) server? Or would they have to try brute force to guess the session ID? If brute force is the only option, is it safe to say, based on the OWASP recommendations (which I have been following religiously), that an application that bases it's user permissions on a session value is secure "enough"? I am not using any hidden form fields or query string values to denote a user's ID or permission level, only a session memory cookie. This is what I believe to be the most secure way of managing sessions. As then the only way to bypass this is to use a tool like Paros to intercept the data transmitted and grab the session id being sent from the browsers memory. The application is running on an SSL encrypted connection so is it possible for an intruder to still be able to see the data being transmitted using a tool like Paros? My final question is relating to a suggestion by one of the security professionals from the web cast who suggested that the only way to know if data has been modified in transit, is to use a keyed hash function. However I cannot work out how this would work. The thing I cannot understand is that if a "normal" user uses the application, when they submit a form it WILL come back looking different if they have entered/modified data. So I cannot work out how the keyed hash function would be of any benefit in determining if the data was tampered with or not. I've been visiting OWASP regularly and have been very impressed with the content. Learning about security has totally changed the way I develop and I consider myself as being more knowledgeable than the average web developer. It's just the few issues I have mentioned above which I am stuck on. I realize that they are very specific questions and the nature of this discussion forum is of a more generic nature, but if you could help answer some of them, or even point me in the right direction to someone else that might be able to help, it would be most appreciated. Regards Robin Fordham Web Developer The information contained in this e-mail is intended solely for the addressee and as such is confidential and may legally be privileged. If you are not the intended recipient, any disclosure, copying, distribution or publishing of this information in any form is expressly prohibited and may be unlawful. For more information about BHA, visit our website at http://www.bha.com
Current thread:
- IIS 5.0 Session Hijacking Question Robin Fordham (Sep 23)
- <Possible follow-ups>
- RE: IIS 5.0 Session Hijacking Question Jones, Chris (Sep 23)
- RE: IIS 5.0 Session Hijacking Question lj-news (Sep 25)