WebApp Sec mailing list archives
Re: How to create (hijacking) secure HTTP sessions?
From: "Adam Tuliper" <amt () gecko-software com>
Date: Sat, 3 Jun 2006 14:26:44 -0400
Beginning with ie5, ssl session id is renegotiated every two minutes during the same session.
Http session ids based on this method would no longer remain valid then.In addition, I dont believe this field is readily available to most web developers, at least on the ms platform.
----- Original Message ----- From: "Jason Muskat" <Jason () TechDude Ca>
To: "Michael Decker" <MDecker () tesis de>; <webappsec () securityfocus com> Sent: Friday, June 02, 2006 10:18 PM Subject: Re: How to create (hijacking) secure HTTP sessions?
Hello,You have the major parts, especially "HTTP session ID joined with IP and SSLsession ID'. Most web-apps don't do this, but they should. To that one should add A) allow only one active login Regards, -- Jason Muskat | GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/From: Michael Decker <MDecker () tesis de> Organization: Tesis SYSware GmbH Date: Thu, 01 Jun 2006 09:13:50 +0200 To: <webappsec () securityfocus com> Subject: How to create (hijacking) secure HTTP sessions? Hi! I tried to figure out, how to create HTTP session, that are not so easy to hijack. So I think about that mechanisms: * Using HTTPs * Randomize HTTP session IDs * Only create HTTP session ID after login * HTTP session ID joined with IP and SSL session ID * Block all session ID usings, that do'nt match IP and SSL session ID * Set HTTP session timeout * Expire HTTP session after logout Is that all? Is there any mechanism, that isn't a good idea? Bye, Michael -- Michael Decker Michael.Decker () tesis de TESIS SYSware GmbH http://www.tesis.de Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0 ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Nathan Keltner (Jun 08)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Rogan Dawes (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? stefano (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)