WebApp Sec mailing list archives
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 22 Dec 2004 19:04:15 +0100
* Yvan G. J. Boily:
This name for the issue is misleading; this is a state management issue combined with a session management issue.
I don't quite agree. Some developers use stateless authentication methods specifically to avoid the pitfalls of improper session management (and session token theft due to cross-site scripting vulnerabilities). I don't think the vulnerability has much to do with state or session management. What we really need is a form of remote attestation, namely that the user has actually triggered the action the browser claims he has. In this particular case, it turns out that you can provide part of this attestation by carrying additional state information through the client, but this is more or less an accident, and not really inherent to the underlying problem. (The general attestation problem is much harder to solve, of course.) If we look at the problem from a different angle, it's a leak between different trust domains (for example, from an Internet site to an intranet application). Disabling cross-site requests in the client would stop it. Actually, doing this is extremely desirable from a security point of view, but is impossible because too many deployed applications rely on this client feature. Those of us who run different browser instances for internal and external content, on different hosts (sometimes called a "graphical firewall"), have at least some protection from these issues because the different trust domains are separated to some extent.
The "Session Riding" vulnerability is not just an issue of immature web technology; it will affect any stateless protocol which does not have a strong method of enforcing state compliance.
On the other hand, this lack of state compliance is a feature which users expect. They want to use the Back button in their browsers. They want to bookmark pages deep within the application. Some users even want to script requests to the applications. We need to support such features.
Current thread:
- Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Thomas Schreiber (Dec 16)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Philippe P. (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Shade (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Joseph Miller (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Shade (Dec 20)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Yvan G.J. Boily (Dec 20)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Mark Burnett (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Jeff Williams (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Augusto Paes de Barros (Dec 23)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Mark Burnett (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Philippe P. (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 22)