WebApp Sec mailing list archives
RE: Session ID Abuse
From: "Kris Wilkinson" <kris () Titan-Networks ca>
Date: Fri, 13 Feb 2004 08:47:14 -0700
1. Another user to change the session information on the server and change access from read only to write (by knowing the session id)?
This depends entirely on how you're setting up your application. If you're going to plant sessions permanently on machines, I think you're looking at major security issues ... depending on how you're setting it up. Are you storing the unique session id in a cookie on the local machine? I would recommend creating a login sequence which creates a unique session id every time a user logs in. If you're looking for both read/write access, then have the page on refresh head back to a temporary login prompt which asks for a username and password to authenticate. 2. Knowing the session id (perhaps from info on the URL) can one create another session from another browser using the same session ID? Never store your session id anywhere that a user can find easily. 3. How can you effectively limit concurrent access to only 1 session? When the user logs in, grab his IP address and store this value in an adjacent table column. Ie ... When the user is authenticated to access the page verify the IP address against the session id in your database. Its only a small solution to your problem, but it's a step in the right direction. 4. If client side certificates were to be used, could you create another session from another browser once the first session was authenticated? ie, how do you restrict the access to only one browser? Back to your session setup ... what type of session are you talking about? 5. If you are using server side validation for all user invoked queries, is it still possible to force data into the application to elevate your role? Assume that user roles are clearly defined in the db. I believe you're talking about an Injection Attack? You need to make sure all data being sent to your database is verified prior to even running the query. 6. If a user with high privileges (such as write to db) leaves a workstation unattended with no session timeout, are there any controls that one could put in place to still validate the user is the privilged user after a period of time? for example keep session active, but to make any changes application must validate information on a usb key? It takes 2 seconds for a user to login again ... just force them to enter their username and password. 7. How do you choose between session ID's tagged in URL, and Session IDs in cookies? How do you restrict the information in either URL or cookie so that users can't use this info to abuse the application? You have them expire. Thanks Johnny
Current thread:
- Session ID Abuse Johnny GoLightly (Feb 13)
- Re: Session ID Abuse Paul (Feb 15)
- Re: Session ID Abuse lists AT dawes DOT za DOT net (Feb 15)
- <Possible follow-ups>
- session id abuse Johnny GoLightly (Feb 13)
- Re: session id abuse npguy (Feb 15)
- Re: session id abuse hans (Feb 15)
- RE: Session ID Abuse Kris Wilkinson (Feb 15)
- Re: Session ID Abuse Steve Shah (Feb 15)