Penetration Testing mailing list archives
Re: [PEN-TEST] HTTP Secure Session State Management
From: Philip Stoev <philip () STOEV ORG>
Date: Wed, 27 Dec 2000 12:07:15 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----- Original Message ----- From: "Thomas Reinke" <reinke () E-SOFTINC COM>
For what it's worth (and even this isn't as secure as it could be, but is _very_ good and has been used in practice on several highly secure sites), you can use: c) For the truly paranoid, a double check of the user agent string to confirm it is the same as when the session was first created.
The man-in the middle guy can issue his HTTP requests using the UserAgent string of the victim (he knows it, since the victim has already been lured into browsing the malicious site), so this type of protection is quite useless. The UserAgent, as well as any other user-supplied information (and the Referer in particular) must be regarded as insecure. Otherwise, your other suggestions are very good. - --------------------------------------------------- Also, people, please be careful that if you require SSL at any place in your site, that you do not allow the same information to be made accessible without SSL. For example, Hotmail uses the following login form: <form name="passwordform" action="https://lc4.law5.hotmail.passport.com/cgi-bin/dologin" method="POST" target="_top" > ... </form> Even if https:// here is substituted with http://, Hotmail will still allow the login to go through. Amazon'com will also allow it (although if you mistype your password, Amazon will detect that you are not using their secure server, and remove the "you are completely secure" banners, however if you have your password right the first time, you will be signed in without any warnings). This opens the possibility to create a small packet-manipulating gadget that will rewrite such https:// URLs to http:// on the fly, and then just sniff the plaintext passwords that will come down the same wire shortly afterwards. Simple, no need to forge certificates, do SSL connections on your own, pretend that you are someone else's site, register bogus domains, do DNS poisoning, etc. Philip -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: www stoev org iQA/AwUBOkmjMVi4DH/L1CReEQKx8QCg1YDJ66wjjaMlhOpWjOlq4Vfk25IAoKE4 +nomG/6H3Q015XvNknhf1vbn =jwMU -----END PGP SIGNATURE-----
Current thread:
- Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Anonymous (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Olle Segerdahl (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bennett Todd (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Philip Stoev (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
- Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)