WebApp Sec mailing list archives
RE: IIS 5.0 Session Hijacking Question
From: "Jones, Chris" <CJones () SierraPine com>
Date: Tue, 23 Sep 2003 08:40:17 -0700
Please excuse me if I am in error, I am not security officer, I am just a programmer who is now the IS Admin for my branch of the tree. One of your questions is how to:
My final question is relating to a suggestion by one of the security professionals from the web cast who suggested that the only way to know if data has been modified in transit, is to use a keyed hash function. However I cannot work out how this would work. The thing I cannot understand is that if a "normal" user uses the application, when they submit a form it WILL come back looking different if they have entered/modified data. So I cannot work out how the keyed hash function would be of any benefit in determining if the data was tampered with or not.
I believe this can be done in MS_WIN with ASP, or other I am not sure, by sending encrypted code from your server to the client and then having the client section of the page decrypt the information. If someone screws with the information in transit your hash algorithm on the client side would not be able to understand the modified information and should present errors to the client saying ("@#%@#%") or some other vernacular. By keying your HASH algorithm, you can tell if anything has been altered. It seems to make sense to me anyway. Not very hard to do and you could create a script file for the code to separate it from the page. Unfortunately, I don't think this would be a very good solution. You cannot hide your client code from the end user, so they would have access to the decryption information in your script. Obviously not a good solution, but it does satisfy what you are trying to do and in certain circumstances, it may come in handy. If you really wanted to get techie, you could create a DLL or ActiveX that does all the work of decrypting the page on the client for you and this way no one could get your code until they hacked your DLL or ActiveX (Much more difficult than and HTML Page, but not impossible). As to the other direction, why couldn't you have your page transmit HASHED dialog to the server and have the server decrypt it there. Same diff just a little more complicated. I would for sure use the ActiveX or DLL to do it though. Cjones DBA / IS Admin -----Original Message----- From: Robin Fordham [mailto:rfordham () bha com] Sent: Tuesday, September 23, 2003 6:04 AM To: webappsec () securityfocus com Subject: IIS 5.0 Session Hijacking Question Hi. I hope this is the right place to direct this kind of question, if not please let me know where I should direct it to. Thanks... I recently participated in a web cast about web security and it mentioned free tools available that allowed you to aggressively test your web apps. The one that I am currently using is Paros3.0. I used it to successfully hijack a session on an app that I am building, but only because I logged in twice, first as an administrator-type user and second as a read-only user and so could see both session IDs, allowing me to swap them around to perform the session hijack. Does this still mean my app is not secure "enough"? My main question is, is it possible for an intruder to be able to obtain a list of session IDs present on the (Win2000sp4 - IIS5.0) server? Or would they have to try brute force to guess the session ID? If brute force is the only option, is it safe to say, based on the OWASP recommendations (which I have been following religiously), that an application that bases it's user permissions on a session value is secure "enough"? I am not using any hidden form fields or query string values to denote a user's ID or permission level, only a session memory cookie. This is what I believe to be the most secure way of managing sessions. As then the only way to bypass this is to use a tool like Paros to intercept the data transmitted and grab the session id being sent from the browsers memory. The application is running on an SSL encrypted connection so is it possible for an intruder to still be able to see the data being transmitted using a tool like Paros? My final question is relating to a suggestion by one of the security professionals from the web cast who suggested that the only way to know if data has been modified in transit, is to use a keyed hash function. However I cannot work out how this would work. The thing I cannot understand is that if a "normal" user uses the application, when they submit a form it WILL come back looking different if they have entered/modified data. So I cannot work out how the keyed hash function would be of any benefit in determining if the data was tampered with or not. I've been visiting OWASP regularly and have been very impressed with the content. Learning about security has totally changed the way I develop and I consider myself as being more knowledgeable than the average web developer. It's just the few issues I have mentioned above which I am stuck on. I realize that they are very specific questions and the nature of this discussion forum is of a more generic nature, but if you could help answer some of them, or even point me in the right direction to someone else that might be able to help, it would be most appreciated. Regards Robin Fordham Web Developer The information contained in this e-mail is intended solely for the addressee and as such is confidential and may legally be privileged. If you are not the intended recipient, any disclosure, copying, distribution or publishing of this information in any form is expressly prohibited and may be unlawful. For more information about BHA, visit our website at http://www.bha.com
Current thread:
- IIS 5.0 Session Hijacking Question Robin Fordham (Sep 23)
- <Possible follow-ups>
- RE: IIS 5.0 Session Hijacking Question Jones, Chris (Sep 23)
- RE: IIS 5.0 Session Hijacking Question lj-news (Sep 25)