WebApp Sec mailing list archives
Re: How can i protect against session hijacking?
From: David Scholefield <david () port80 com>
Date: Fri, 3 Apr 2009 09:44:18 +0100
On 3 Apr 2009, at 01:46, Brad Causey wrote:
1. Will a WAF prevent session hijacking?In a word, no. I'm with the school of thought that a WAF is a TEMPORARY mitigation of risk while the CODE issues are being resolved. So in practice, you should not deploy a WAF with the long term intent of preventing a certain attack.
<snip>
The fact that PCI says you can have either a WAF or a security review is insane to me.
I totally agree with this - a WAF is a very blunt tool and shouldn't replace decent coding and code review standards. But then code review can be very expensive and time consuming (especially if you don't use a 'standard' set of Microsoft tools such as .NET, or some flavours of Java; and have to do it by hand!)
---- Dr David Scholefield, CISSP, OPST, MBCS 07525 624 997 www.port80.com Security in a connected world
Current thread:
- RE: How can i protect against session hijacking? Chris Grove (Apr 01)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 01)
- Re: How can i protect against session hijacking? Justin Clarke (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- Re: How can i protect against session hijacking? Adam Todorski (Apr 02)
- RE: How can i protect against session hijacking? Martin O'Neal (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Message not available
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- Message not available
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? Rohit Sethi (Apr 02)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- New WebApp security paper: Anit-fraud Image Solutions WebAppSec (Apr 29)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)