WebApp Sec mailing list archives
Re: session id abuse
From: npguy <npguy () websurfer com np>
Date: Sat, 14 Feb 2004 10:29:30 +0545
Hi Johnny, Friday, February 13, 2004, 6:05:09 PM, you wrote: JG> 1. Another user to change the session information on the JG> server and change access from read only to write (by knowing the JG> session id)? If Client is encourging the packet to pass through third party machine, then it is very much possible to hijack the session. But if you use the IP depending on the Session-ID it could be hard to break. As you assumed the user has only readaccess. So there is now way to escalate. but it depends on your implementation. JG> 3. How can you effectively limit concurrent access to only 1 session? denied all new login if the given account is not logged out. JG> 4. If client side certificates were to be used, could you JG> create another session from another browser once the first session JG> was authenticated? ie, how do you restrict the access to only one JG> browser? You can do it. But why do you need another session? JG> 5. If you are using server side validation for all user JG> invoked queries, is it still possible to force data into the JG> application to elevate your role? Assume that user roles are JG> clearly defined in the db. If the user roles are clearly define the escalation could reach at its limit and cannot to beyond. JG> 6. If a user with high privileges (such as write to db) JG> leaves a workstation unattended with no session timeout, are there JG> any controls that one could put in place to still validate the JG> user is the privilged user after a period of time? for example JG> keep session active, but to make any changes application must JG> validate information on a usb key? It is possible. You should find out the idle time-out and prompt for login. JG> 7. How do you choose between session ID's tagged in URL, JG> Session IDs in cookies? The cookies and GET variables (URL) can be accessed through its corresponding associated array or global std. variables. Check the apache or scripting manual. for example in php: to get URL variables... $_GET["sessionkey"] for cookies try $_COOKIE["sessinkey"] JG>How do you restrict the information in JG> either URL or cookie so that users can't use this info to abuse JG> the applicaiton? The server side script should use proper string parsing, validity of the data etc.. JG> Thanks JG> Johnny
Current thread:
- Session ID Abuse Johnny GoLightly (Feb 13)
- Re: Session ID Abuse Paul (Feb 15)
- Re: Session ID Abuse lists AT dawes DOT za DOT net (Feb 15)
- <Possible follow-ups>
- session id abuse Johnny GoLightly (Feb 13)
- Re: session id abuse npguy (Feb 15)
- Re: session id abuse hans (Feb 15)
- RE: Session ID Abuse Kris Wilkinson (Feb 15)
- Re: Session ID Abuse Steve Shah (Feb 15)