WebApp Sec mailing list archives
Re: How can i protect against session hijacking?
From: Rohit Sethi <rklists () gmail com>
Date: Thu, 2 Apr 2009 21:00:03 -0400
Tommy, It's clear that session hijacking is only one many problems that you've outlined in your scenario. If you have XSS an attacker *doesn't need* to steal a session - he can execute his entire attack through the client via a set of CSRF AJAX requests and responses. What you should really be asking yourself here is "what in the session am I trying to protect?" Your application probably has many different transactions - which ones are the most sensitive? For instance, can people steal credit card numbers or transfer money in your application? For those transactions, your should consider using transactional authentication - forcing the user to use a different factor of authentication for paritcularly high-risk transactions. One time passwords are ideal for transactional authentication. If you can't afford to distribute hard tokens consider using something like www.phonefactor.com (they have a free service as well as commercial versions). I can't vouch for phone factor personally but I know it's come up on this list before. On 4/2/09, Martin O'Neal <martin.oneal () corsaire com> wrote:
There are WAFs available on the market that implement secure session handling...LOL; thanks for the comment, but to paraphrase, you're basically suggesting adding another technology to the mix (one that the client will be unlikely to be familiar with, but will have to maintain both from a platform and skills perspective), and rather than fixing the application, you duplicate some functionality into the WAF, which (unless you fix the XSS [in the WAF or application]) won't actually help with the lost session ID anyway, as the attacker will be still running mobile code in the users browser session, with access to everything that the user has; source IP, cookies, blah-blah-blah. Doesn't sound like a particularly ideal solution to the scenario to me... Martin...
-- Rohit Sethi Security Compass http://www.securitycompass.com
Current thread:
- RE: How can i protect against session hijacking?, (continued)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Message not available
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- Message not available
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? Rohit Sethi (Apr 02)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- New WebApp security paper: Anit-fraud Image Solutions WebAppSec (Apr 29)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- Re: How can i protect against session hijacking? Just1n T1mberlake (Apr 06)