Re: Session Hijacking Security

["arvind doraiswamy" <arvind.doraiswamy () gmail com>]

HTTPS as you say is an absolute must so that people can't steal
cookies using which they can hijack your session. Other "best
practices" to follow would be:

a) Ensure that a valid session ID lasts only for a short interval. The
more sensitive the application the shorter the time duration.

b) Destroy the session ID on logout. In ASP apps ensure that the
browser instance itself is closed if you're using the default
ASPSESSIONID.

c) Terminate the "hijacked" session immediately; as soon as you see a
second login attempt. This though could be manipulated for a DOS
attack. I guess "one time cookies" fall inot this bracket? And they're
usually encrypted anyway by default..as in they are quite random by
default in both ASP and JSP apps.

d) If possible how about the usage of page tokens as well; for every
critical page? Even if the session ID gets hijacked the guy won't be
able to get at your data as he can't predict the page token. How many
and what pages using page tokens though is up to you based on how your
app performs.

Really though HTTPS drops the risk a lot and a lot of these other
attacks while very much possible do require some understanding of how
the app works. Thats it off the top of my head :)

Cheers
Arvind

On Wed, Apr 16, 2008 at 4:57 PM, 11ack3r <11ack3r () gmail com> wrote:
> Hi Guys,
>
>  Thanks for your answers to my early post.
>
>  I saw & tested how easy it was to capture cookies over the network and
>  hijack sessions.
>
>  Now what's the countermeasure? Sites like yahoo.com or any from whole
>  lot don't use HTTPS after authentication. Is there any other technique
>  apart from HTTPS that they can use to ensure session hijacking is
>  thwarted?
>
>  How about sending one time cookies that are encrypted? Encryption will
>  ensure confidentiality and one timeness would mitigate replay attacks.
>
>  Is anyone aware of any non-HTTPS implementation that is more secure,
>  if not completely secure?
>
>  Thanks a ton
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Need to secure your web apps NOW?
>  Cenzic finds more, "real" vulnerabilities fast.
>  Click to try it, buy it or download a solution FREE today!
>
>  http://www.cenzic.com/downloads
>  ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------