Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: Mark Curphey <mark () CURPHEY COM>
Date: Sun, 24 Dec 2000 09:13:22 -0800

IMHO - Hidden Form Fields, isn't that like security by obscurity (maybe I
don't understand how they work right) ? Sure you can set the no cache option
in the http header but doesn't the session status ID (whatever you pass as
the form field value) just sit on the client machine ready to be replayed ?

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Robert van der Meulen
Sent: Saturday, December 23, 2000 7:56 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] HTTP Secure Session State Management

Hi,

Quoting Drew Simonis (simonis () myself com):

Apart from RFC 2965 (cookies) what other methods are available to
developers to manage sessions securely; i.e. authenticate each session
in a transaction ?

Is a decorated URL  a better option ?

Placing the credential material in the URL is another way, yes.  Is it
better?  To answer that, we would really need to know in what way you mean
better.

Decorated URLs, containing session ID's, are almost always worse. I hate
cookies, so i try to use them as little as possible, but your best bet would
be a <INPUT TYPE=hidden .... > tag somewhere.
There have been some problems (also mentioned on Bugtraq) with url-embedded
session ID's, mainly in webmail clients. If you go to a different (off-site)
page, from a page containing 'decorated urls', the URL you came from
(referrer) can get logged.
An evil admin could mail you a message, with an embedded URL, have you visit
his site (from the webmail client), log your session ID, and access your
email.
This problem is still visible in a lot of web-based systems today.
(urls with session IDs are a potential security leak for me - so it's not
that offtopic :) )

Greets,
        Robert

--
|      rvdm () cistron nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |
                if you remember the 60's, you weren't there.

Current thread:

Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- - - Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bill Reamy (Dec 26)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Yonatan Bokovza (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)

(Thread continues...)