WebApp Sec mailing list archives
Re: How can i protect against session hijacking?
From: "Just1n T1mberlake" <hotpackets () hellokitty com>
Date: Mon, 6 Apr 2009 12:22:01 +0800
In reply to Brad Causey,3 Apr 2009, at 01:46: I have been working in the IT security industry for 15 years and I have post graduate qualifications in computer security specializing in session management and egress filtering. Security in session management is a lot like trying to pour dirty water through a coffee filtre - Some of the dirt gets caught but you are still going to be drinking a lot of water at the end of it and you are certainly going to be throwing the filtre away at the end of the process! You can't just hope for a magic bullet with a web application firewall here. WAF will help you in some cases, such as your typical CSRF or XSS or the newer CSS style embedded iframe issues, but you wont be able to stop a determined attacker with such a tool. This is really analgous to trying to stop terrorism by invading another country no? What is really needed is an understanding of why you are using sessions to begin with. If you can eliminate the need for these types of session constructs, with some kind of formal testing or proofs associated, then you will be able to eliminate the class of vulnerabilities that are formed by using these types of constructs. Bees et. al. (2002) discusses this in great detail if you are looking for a tough but refreshing read. Really the problem here is you are trying to compare using sessions safely to something like the safety of guns for your own protection. If you are keeping a gun securely stored then you will likely not suffer from theft, but if you are carrying it around with you then you are just asking for someone else to escalate to these types of weapons as well. But the answer is not just to keep the tools out of the bad guys hands, otherwise it will only be the criminals that steal sessions. A few thoughts to provoke some discussion on this interesting topic. HTH, Justin CISSP, CISM, CCIE+Security, CCNA, 3Com Pro NIC Installer 2001 -- _______________________________________________ Get a free @hellokitty.com, @mymelody.com, or @kuririnmail.com email account today at www.sanriotown.com, and enjoy 500MB of storage! Check out our official blog @ http://blog.hellokitty.com
Current thread:
- RE: How can i protect against session hijacking?, (continued)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 02)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? David Scholefield (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- RE: How can i protect against session hijacking? Debasis Mohanty (Apr 03)
- Re: How can i protect against session hijacking? AF (Apr 03)
- Re: How can i protect against session hijacking? Rohit Sethi (Apr 02)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- New WebApp security paper: Anit-fraud Image Solutions WebAppSec (Apr 29)
- Re: How can i protect against session hijacking? Michael Condon (Apr 03)
- Re: How can i protect against session hijacking? Just1n T1mberlake (Apr 06)