IIS 5.0 Session Hijacking Question

["Robin Fordham" <rfordham () bha com>]

Hi.
I hope this is the right place to direct this kind of question, if not
please let me know where I should direct it to. Thanks...

I recently participated in a web cast about web security and it mentioned
free tools available that allowed you to aggressively test your web apps.
The one that I am currently using is Paros3.0.

I used it to successfully hijack a session on an app that I am building, but
only because I logged in twice, first as an administrator-type user and
second as a read-only user and so could see both session IDs, allowing me to
swap them around to perform the session hijack. Does this still mean my app
is not secure "enough"?

My main question is, is it possible for an intruder to be able to obtain a
list of session IDs present on the (Win2000sp4 - IIS5.0) server? Or would
they have to try brute force to guess the session ID? If brute force is the
only option, is it safe to say, based on the OWASP recommendations (which I have
been following religiously), that an application that bases it's user
permissions on a session value is secure "enough"?

I am not using any hidden form fields or query string values to denote a
user's ID or permission level, only a session memory cookie. This is what I
believe to be the most secure way of managing sessions. As then the only way
to bypass this is to use a tool like Paros to intercept the data transmitted
and grab the session id being sent from the browsers memory. The application
is running on an SSL encrypted connection so is it possible for an intruder
to still be able to see the data being transmitted using a tool like Paros?

My final question is relating to a suggestion by one of the security
professionals from the web cast who suggested that the only way to know if
data has been modified in transit, is to use a keyed hash function. However
I cannot work out how this would work. The thing I cannot understand is that
if a "normal" user uses the application, when they submit a form it WILL
come back looking different if they have entered/modified data. So I cannot
work out how the keyed hash function would be of any benefit in determining
if the data was tampered with or not.

I've been visiting OWASP regularly and have been very impressed with the
content. Learning about security has totally changed the way I develop and I
consider myself as being more knowledgeable than the average web developer.
It's just the few issues I have mentioned above which I am stuck on. I
realize that they are very specific questions and the nature of this discussion forum is
of a more generic nature, but if you could help answer some of them, or even
point me in the right direction to someone else that might be able to help,
it would be most appreciated.

Regards

Robin Fordham
Web Developer


The information contained in this e-mail is intended solely for the addressee and as such is confidential and may 
legally be privileged. If you are not the intended recipient, any disclosure, copying, distribution or publishing of 
this information in any form is expressly prohibited and may be unlawful. For more information about BHA, visit our 
website at http://www.bha.com