Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Predefined Post Authentication Session ID Vulnerability

From: Jann Horn <jannhorn () googlemail com>
Date: Fri, 13 Jul 2012 01:06:10 +0200
On Wed, Jul 11, 2012 at 11:34:11AM +0300, Gokhan Muharremoglu wrote:

Vulnerability Name: Predefined Post Authentication Session ID Vulnerability 
Type: Improper Session Handling
Impact: Session Hijacking
Level: Medium
Date: 10.07.2012
Vendor: Vendor-neutral
Issuer: Gokhan Muharremoglu
E-mail: gokhan.muharremoglu () iosec org


VULNERABILITY
If a web application starts a session and defines a session id before a user
authenticated, this session id must be changed after a successful
authentication. If web application uses the same session id before and after
authentication, any legitimate user who has gained the "before
authentication" session id can hijack future "after authentication" sessions
too.


Uh, so, erm, you assume that someone can steal my cookie/set it/whatever
although the Same Origin Policy should clearly not allow that, and then, after
I have logged in, he can't just steal my cookie? Unless you allow setting the
session-ID via an URL or so (which would IMO be pretty stupid), I can't see
how this is a realistic, vendor-neutral attack. Could you explain this a bit
better? I don't get it.

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: