WebApp Sec mailing list archives
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"
From: Eran Tromer <webapp2eran () tromer org>
Date: Wed, 22 Dec 2004 22:30:40 +0200
On 12/22/2004 10:12 PM, Eran Tromer wrote:
On 12/22/2004 07:47 PM, Florian Weimer wrote:The HMAC input should also cover a time-dependent value sent along in the clear (which is later used to check the token for freshness). A form identifier could also be helpful.[snip]
> The timestamp and (in some cases) the form identifier needed to be sent > as extra parameters, which can get rather ugly when using GET requests.On second thought, what you need is not a form (source) identifier, but rather an action (target) identifier. The action is necessarily deducible from the rest of HTTP request, so there's no good reason not to add it to the hash. Ideally, one would hash in all parts of the target URL and all POST parameters that are known at the time the source page is sent (except the token itself).
Eran
Current thread:
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications", (continued)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Mark Burnett (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Jeff Williams (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Augusto Paes de Barros (Dec 23)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Mark Burnett (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Shade (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)