WebApp Sec mailing list archives

Re: Maia Mailgaurd http://www.renaissoft.com/maia/

From: Achim Hoffmann <kirke11 () securenet de>
Date: Mon, 18 Jul 2005 16:41:24 +0200 (MEST)

On Mon, 18 Jul 2005, Chuck wrote:

!! Responses below....
!!
!! On 7/16/05, Christopher Canova <ccanova () reachone com> wrote:
!!
!! > We are currently in a discussion about
!! > using the PHP Session ID in the URL and whether to strictly enforce
!! > cookies to avoid session hijacking. The fear is that we could possibly
!! > be passing along the referral information to a spammer willing to
!! > exploit such a vuln. Some of the discussion is related closely to this
!! > mailing list, so I wanted to see what everyone thought about it.
!!
!! > What are the risks to enforcing session handling using cookies? Will it
!! > break functionality for many people? Are the risks of including the SID
!! > in the URL worse than cookies?
!!
!! In short, you are better off putting the session id in a cookie than
!! putting it in the URL.  You are right that referrer headers are one
!! way that a URL session id can leak.  It may also be logged in proxies
!! or firewalls.

In short, it is much simpler to steal session ids from cookies than from
URL, exceptions see below. For stealing cookies, we just need XSS somewhere
on the same server (or if designed bad, on the same domain) and a simple
 document.cookie
Getting the session id from the current URL is also simple, but if it is
just in a link (href= action= attribute) then things get more complicated,
AFAIK not possible without parsing the whole DOM tree.

Cookies are unsecure, unfortunately.
And more worse, most application don't take care for example by using FQDN
and proper path= attribute and secure flag.

!! There is also the problem that users do not expect sensitive
!! information in the URL.  They may send the URL to someone in an IM or
!! email or even post it on a mailing list or blog, not realizing that it
!! will give whoever follows the URL access to their account (at least
!! until the session ID expires).

Agreed.
But it's the responsibility of the application to ensure a correct and
secure session management (one of the initial questions).

!!
!! Finally, I don't like the idea of displaying the session ID on the
!! screen.  It makes the user vulnerable to shoulder surfing and again,
!! they may send someone or post a screenshot of the application not
!! realizing that the session ID is there in the URL.

I agree that a session id in the URL is very sensitive data, but only as
long as the session is active (which is the resposibility of the application).

{-: Achim

Current thread:

Maia Mailgaurd http://www.renaissoft.com/maia/ Christopher Canova (Jul 16)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
  - Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
    - RE: Maia Mailgaurd http://www.renaissoft.com/maia/ Guillaume Vissian (Jul 18)
    - PHP Session ID's focus (Jul 19)
    - Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
    - Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
    - Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 20)
    - Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 20)
    - Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 21)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Stelian Ene (Jul 18)
  - Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Andy bentley (Jul 18)