Re: Session Hijacking over HTTP

["Serg B" <sergeslists () gmail com>]

Jerry,

You are partially correct, in some cases this would not be possible.
However, generally speaking this is a solution.

See http://www.owasp.org/index.php/Session_Management, section 8.2:
How to protect yourself.

   Serg


On Wed, Mar 19, 2008 at 10:38 AM, Shenk, Jerry A
<jshenk () decommunications com> wrote:
> Sometimes, tying an http session to an IP address will incorrectly kick
>  users out who are going through proxies.  AOL traffic causes this at
>  times by switching proxies.  Since HTTP is a protocol that makes lots of
>  different connections, the browser can easily (but not often) change IP
>  addresses during a session.
>
>  The fact that each HTTP connection is a different IP session makes using
>  ports in the session management a problem too....in fact, I don't see
>  how that would work at all.
>
>
>
>  -----Original Message-----
>  From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
>  On Behalf Of Serg B
>  Sent: Tuesday, March 18, 2008 6:42 PM
>  To: 11ack3r
>  Cc: pen-test () securityfocus com
>  Subject: Re: Session Hijacking over HTTP
>
>  To protect session cookies you can set the cookie property: to send
>  only over SSL.  Also, regenerate SID after the user has authenticated
>  to the application - this will safe guard their account in case the
>  SID was compromised prior to authentication.  The SID itself should be
>  custom generated and include a digest of the following client
>  properties (can be more, this is the minimum): IP address, port
>  number, agent string.  This way a session will be tied to a particular
>  machine and user. This is the industry best practice.
>
>  Don't worry about building "custom browser or enterprise solution"
>  since it will only complicate things and get you hacked, remember the
>  KISS principle.  This is of course excluding the fact that it sounds
>  like a complete bandaid solution to a problem that should be solved at
>  design or implementation stage of the SDLC. In regards to the "trusted
>  channel" - SSL is about as trusted a it gets (excluding my uber army
>  of specially trained carrier pidgins of course).
>
>  Serg
>
>
>  On Tue, Mar 18, 2008 at 10:21 PM, 11ack3r <11ack3r () gmail com> wrote:
>  > Hello Everyone,
>  >
>  >  I was curious to know how would webmail portals like gmail.com and
>  >  yahoo.com protect their users from session hijacking when they use
>  >  HTTP after authentication.
>  >
>  >  As I see it is trivial to capture traffic over the wire including
>  >  session cookies. In such a case can an attacker just reuse the
>  session
>  >  cookies in his/her browser and compromise the user account?
>  >
>  >  WHat is the best way to protect session cookies from hijacking esp.
>  >  due to network eavesdropping? Of course HTTPS can also be bypassed
>  >  with MITM attacks if users ignore browser warnings.
>  >
>  >  Looking forward to some knowledge here.
>  >
>  >  Cheers!!
>  >
>  >
>  ------------------------------------------------------------------------
>  >  This list is sponsored by: Cenzic
>  >
>  >  Need to secure your web apps NOW?
>  >  Cenzic finds more, "real" vulnerabilities fast.
>  >  Click to try it, buy it or download a solution FREE today!
>  >
>  >  http://www.cenzic.com/downloads
>  >
>  ------------------------------------------------------------------------
>  >
>  >
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Need to secure your web apps NOW?
>  Cenzic finds more, "real" vulnerabilities fast.
>  Click to try it, buy it or download a solution FREE today!
>
>  http://www.cenzic.com/downloads
>  ------------------------------------------------------------------------
>
>
>  **DISCLAIMER
>  This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
> they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
> intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
> message. If you have received this communication in error, please notify the sender and delete this e-mail message. 
> The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------