Re: Hijacking URL Encoded Session IDs using Referer Logs

[ONEILL David J <David.J.Oneill () state or us>]

And ... Unless one would want to limit potential users from being able to
access the website, one would never assume that the session ID could be stored
in a cookie.

David J. O'Neill
NEDSS - IS7
Parkway Bldg., 2nd Floor
Phone: (503) 378-2101 ext. 364
FAX:     (503) 378-2102

> > > crazybob () crazybob org 11/25/02 06:59AM >>>
Many (most?) application servers use URL encoded session IDs when the 
user has disabled cookies. Many users disable cookies as a security 
precaution. There should be an advisory on this so that application 
server vendors stop allowing URL encoded session IDs by default.

If you can post an interesting link to a site, you can hijack the 
sessions of users with cookies disabled, and no one would be the wiser.

Does hotmail or yahoo use URL session IDs? E-mail someone a link to 
your site and hijack their e-mail account. In the scope of this attack, 
they'd have no way to tell that you stole it.

Also a good reason to use HTTPS.

Bob

On Monday, November 25, 2002, at 07:48 AM, zeno wrote:

> Not to my knowledge. I guess the question would be why would you store 
> the session id in a users url? I suppose
> people who are to lazy to learn about cookies and don't mind having 
> the ID logged on the server side.
>
>
> Not to mention its *possible* that this id can be saved by a webspider 
> and archived. If using cookies to store
> these id's you won't have to worry about this problem. (unless there 
> is a new super spider which logs cookies
> that I am unaware of in production use?)
>
> - zeno
>
>
>
> > Is there anything on CERT about the fact that URL encoded session IDs
> > get passed to referenced sites in the HTTP referer header?
> >
> > Thanks,
> > Bob