Penetration Testing mailing list archives
Session Hijacking Security
From: 11ack3r <11ack3r () gmail com>
Date: Wed, 16 Apr 2008 16:57:34 +0530
Hi Guys, Thanks for your answers to my early post. I saw & tested how easy it was to capture cookies over the network and hijack sessions. Now what's the countermeasure? Sites like yahoo.com or any from whole lot don't use HTTPS after authentication. Is there any other technique apart from HTTPS that they can use to ensure session hijacking is thwarted? How about sending one time cookies that are encrypted? Encryption will ensure confidentiality and one timeness would mitigate replay attacks. Is anyone aware of any non-HTTPS implementation that is more secure, if not completely secure? Thanks a ton ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Session Hijacking Security 11ack3r (Apr 16)
- Re: Session Hijacking Security arvind doraiswamy (Apr 16)