WebApp Sec mailing list archives
RE: [WEB SECURITY] Sesion hijacking impossible with SSL client authentication?
From: "Boaz Shunami" <BoazS () comsec co il>
Date: Tue, 21 Nov 2006 18:12:32 +0200
Hi Holger, An attacker having a valid client certificate will most probably be able to perform session hijacking on most or all current-day web applications. This stems from the fact that for each session, the private certificate must be validated; which will not be the case for most current-day 2FA systems. Regards, Boaz Shunami Senior Security Consultant & Project Manager Comsec Consulting Office: +972-3-9234646 ext. 220 Mobile: +972-52-4762230 e-mail: BoazS () Comsec co il Web: http://www.ComsecGlobal.com "The Art of Securing Your Business" This e-mail message from Comsec Consulting and any attachments thereto contain confidential and privileged information and are for the sole use of the intended recipient(s). If you are not the intended recipient, you are not authorized to use, disclose, copy, distribute, or retain this message or any part of it and you are asked to contact the sender by reply e-mail and destroy all copies of the original message. -----Original Message----- From: Holger.Peine () iese fraunhofer de [mailto:Holger.Peine () iese fraunhofer de] Sent: Tuesday, November 21, 2006 2:47 PM To: websecurity () webappsec org; webappsec () securityfocus com Subject: [WEB SECURITY] Sesion hijacking impossible with SSL client authentication? Hello, I am familiar with session hijacking by stealing the victim's session id and inserting that into an attacker's request. This works just as well with "normal" SSL (i.e. server authentication only), since the client is still authenticated by its session id only. However, what happens when SSL with client authencation (i.e. with a client certificate) is used? When the attacker sends their first request with the stolen session id, a new SSL handshake is performed. Doesn't the server require a matching client certficate in the course of this handshake (which would make the handshake fail, and the stolen session id useless)? Or is the client certficate validated only once per session (but that would mean that the SSL server implementation would have to check if a valid session id is contained in the request, which looks highly improbable to me, since that would confuse the differet protocol layers of SSL and the application)? Thanks for your replies, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1899 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 ------------------------------------------------------------------------ ---- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ************************************************************************************************** The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** eSafe scanned this email for viruses, vandals and malicious content. ** ************************************************************************************************** ------------------------------------------------------------------------- Sponsored by: Watchfire Pen testers and security consultants, automate more of what you do manually today. Features that include Privilege Escalation Testing, Validation Highlighting and Reasoning, and advanced testing utilities that complement your manual efforts are just a few of the reasons why Watchfire AppScan 7.0 is used by more application security professionals than any other solution. Want to know more? Try AppScan for yourself. https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Sesion hijacking impossible with SSL client authentication? Boaz Shunami (Nov 25)