WebApp Sec mailing list archives
Re: How to create (hijacking) secure HTTP sessions?
From: ascii <ascii () katamail com>
Date: Mon, 05 Jun 2006 02:13:00 +0200
Robin Wood wrote:
What happens if your users are using proxies which change over the period of the session, such as AOL. This approach would stop them from using your system.
i think the answer is in the message you replied : )
On 6/3/06, ascii <ascii () katamail com> wrote:this should play better on https then on http because commonly ssl connections are direct (while some isp split the http traffic over different proxy servers and several public ips)
does AOL proxy https traffic? normally your browser open an ssl connection directly with the server the other option is to use a proxy with the CONNECT request method enabled to tunnel the ssl channel (but the proxy cannot cache the traffic, so no cache acceleration) if this happen and the proxy change then a solution is to exclude the ip class from the ip check naturally you have to see the context, if your webbapp doesn't apply for a particular check don't do that particular check Regards, Francesco 'ascii' Ongaro - http://www.ush.it/ ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Nathan Keltner (Jun 08)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Rogan Dawes (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? stefano (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- <Possible follow-ups>
- RE: How to create (hijacking) secure HTTP sessions? Evans, Arian (Jun 08)
- RE: How to create (hijacking) secure HTTP sessions? Evans, Arian (Jun 08)