Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack

[Kanatoko <anvil () jumperz net>]

Hi Ofer,

Thank you very much for your feedback.

> The problem with Guardian is that it a signature
> based machine without signatures. 

We have 60 signatures now. 
http://guardian.jumperz.net/index.html?i=004
I think that it is enough because many of those are generic.


> Unfortunately IP addresses are a very unreliable way to follow sessions,
> as you write in the section about real world cases. To make things worse
> AOL, the biggest ISP in the US use multiple gateways for the same user.
> IP reusing will also generate many false positives, and on top of that
> multiple windows on the same machine may also issue alerts. 

I know. So I wrote this:
http://guardian.jumperz.net/manual/en/body100.html


> And to make things event more complex, half of the sessions our there
> are not cookie based at all.... jsessionid is usually used as a query
> parameters, while other technologies re-write the URL to maintain
> sessions.

I know. Guardian supports that situation.
Guardian supports the following 4 types.

1. Session ID in Cookie
---------------------------
GET /foo HTTP/1.0
Cookie: sessionid=12345
User-Agent: Mozilla

---------------------------

2. Session ID in parameter in URL
---------------------------
GET /foo;sessionid=12345 HTTP/1.0
User-Agent: Mozilla

---------------------------

3. Session ID in query in URL
---------------------------
GET /foo?bar=baz&sessionid=12345 HTTP/1.0
User-Agent: Mozilla

---------------------------

4. Session ID in query in HTTP request body
---------------------------
POST /foo HTTP/1.0
User-Agent: Mozilla
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

bar=baz&sessionid=12345
---------------------------

Thanks.

-- 
Kanatoko<anvil () jumperz net>
Open Source WebAppFirewall
http://guardian.jumperz.net/