WebApp Sec mailing list archives
Re: How to create (hijacking) secure HTTP sessions?
From: stefano <stefano.dipaola () wisec it>
Date: Mon, 05 Jun 2006 12:12:06 +0200
I think remote address check is an additional check that can raise the bar a little bit more. But as Robin and Ivan said it has some usability drawbacks.. Moreover from a security point of view, I would just don't rely too much on this, as there are many untrustable scenarios like having user's public ip, shared with other non "trustable" people.. Think about WANs or (public) hot spots with wireless AP.. Regards, Stefano On lun, 2006-06-05 at 02:13 +0200, ascii wrote:
Robin Wood wrote:What happens if your users are using proxies which change over the period of the session, such as AOL. This approach would stop them from using your system.i think the answer is in the message you replied : )On 6/3/06, ascii <ascii_katamail.com> wrote:this should play better on https then on http because commonly ssl connections are direct (while some isp split the http traffic over different proxy servers and several public ips)does AOL proxy https traffic? normally your browser open an ssl connection directly with the server the other option is to use a proxy with the CONNECT request method enabled to tunnel the ssl channel (but the proxy cannot cache the traffic, so no cache acceleration) if this happen and the proxy change then a solution is to exclude the ip class from the ip check naturally you have to see the context, if your webbapp doesn't apply for a particular check don't do that particular check Regards, Francesco 'ascii' Ongaro - http://www.ush.it/
....oOOo....oOOo.... Stefano Di Paola Software Engineer Mail: stefano.dipaola!wisec.it Web: www.wisec.it .................... ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Re: How to create (hijacking) secure HTTP sessions?, (continued)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Nathan Keltner (Jun 08)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Rogan Dawes (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? stefano (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)