WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

From: Eran Tromer <webapp2eran () tromer org>
Date: Wed, 22 Dec 2004 22:30:40 +0200
On 12/22/2004 10:12 PM, Eran Tromer wrote:

On 12/22/2004 07:47 PM, Florian Weimer wrote:

The HMAC input should also cover a time-dependent value sent along in the
clear (which is later used to check the token for freshness).  A form
identifier could also be helpful.


[snip]

> The timestamp and (in some cases) the form  identifier needed to be sent
> as extra parameters, which can get rather ugly when using GET requests.
On second thought, what you need is not a form (source) identifier, but rather an action (target) identifier. The action is necessarily deducible from the rest of HTTP request, so there's no good reason not to add it to the hash. Ideally, one would hash in all parts of the target URL and all POST parameters that are known at the time the source page is sent (except the token itself). 

  Eran
Previous By Date Next
Previous By Thread Next

Current thread: