Full Disclosure mailing list archives
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
From: genericone () hushmail com
Date: Thu, 12 Jul 2012 09:15:32 -0400
Benji, Do you write anything but scathing criticism? I've never seen you contribute anything of use to this list. You must be a real pleasure in person. Sent using Hushmail On 07/12/2012 at 4:52 AM, Benji wrote:Ah, please send more emails explaining the faults of retarded programmers and serious vulnerabilities, and then link to an owasp page. Can you explain HTTPOnly cookies to me? I will only accept your explanation if you can justify an impact of Critical, a likelihood of High and a severity of High? fuq'in kidz... On Wed, Jul 11, 2012 at 11:20 PM, Gökhan Muharremoğlu wrote:
This article explains how this vulnerability works with Session
Fixation
attack.
https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)
From: gokhan.muharremoglu () iosec org To: full-disclosure () lists grok org uk Date: Wed, 11 Jul 2012 11:34:11 +0300 Subject: [Full-disclosure] Predefined Post Authentication Session
ID
VulnerabilityVulnerability Name: Predefined Post Authentication Session ID Vulnerability Type: Improper Session Handling Impact: Session Hijacking Level: Medium Date: 10.07.2012 Vendor: Vendor-neutral Issuer: Gokhan Muharremoglu E-mail: gokhan.muharremoglu () iosec org VULNERABILITY If a web application starts a session and defines a session id
before a
user authenticated, this session id must be changed after a successful<
br>>
authentication. If web application uses the same session id before
and after
authentication, any legitimate user who has gained the "before authentication" session id can hijack future "after authentication" sessions too. Vulnerable Login Page & Session ID before Authentication (Status-Line) HTTP/1.1 200 OK Server Apache/2.2.3 (CentOS) Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/ Expires Thu, 19 Nov 1981 08:52:00 GMT Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma no-cache Content-Type text/html Content-Length 308 Date Tue, 10 Jul 2012 06:16:57 GMT X-Varnish 1922993981 Age 0 Via 1.1 varnish Connection keep-alive Vulnerable Login Page & Authentication Request (Request-Line) POST /io sec_login_vulnerable.php HTTP/1.1Host www.iosec.org User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr;
rv:1.9.2.25)
Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E) Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7 Keep-Alive 115 Connection keep-alive Referer http://www.iosec.org/iosec_login_vulnerable.php Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2 Content-Type application/x-www-form-urlencoded Content-Length 42 POST DATA user gokhan pass muharremoglu submit Login Vulnerable Login Page & Session ID after Authentication (Status-Line) HTTP/1.1 200 OK Server Apache/2.2.3 (CentOS) Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/ Expires Thu, 19 Nov 1981 08:52:00 GMT Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma no-cache Content-Type text/html Content-Length 308 Date Tue, 10 Jul 2012 06:16:57 GMT X-Varnish 1922993981 Age 0 Via 1.1 varnish Connection keep-alive MITIGATION To avoid this vulnerability, sessions must be regenerated after a successful login. In a session fixation attack, attacker fixates (sets)
another
person's (victim's) session identifier because of "never
regenerated and
validated" session id and this vulnerability can also lead to the
Session
Fixation attack. _______________________________________________ Full-Discl osure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability genericone (Jul 12)
- Re: Predefined Post Authentication Session ID Vulnerability Benji (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability larry Cashdollar (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Григорий Братислава (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Benji (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Григорий Братислава (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Benji (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Benji (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Benji (Jul 13)