WebApp Sec mailing list archives
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"
From: Ben Timby <asp () webexc com>
Date: Mon, 20 Dec 2004 14:34:40 -0500
Comments below. Noah Gray wrote:
While agreeing with much of the paper, I feel that there are two mitigating factors not stronly enough reinforced: 1) Most sites use some form of Session Expiration. The whole of this paper assumes the when the user is attacked, they are still logged in, and have a valid session cookie intact. In reality, this attack is only useful while a user is logged in, and shortly thereafter. Which, while being very plausible in intranet application, is unlikely in internet applications, except in focused attacks.
You are correct, this is why expiration is important.
2) Less secure sites often allow for persistent cookie 'auto-login' features. These sites are particularly vulnerable to this attack. However, many of these still redirect the user through the login page, then redirect to a 'start' page, rather than the requested page. This effectively strips malicious commands. Further, in the case of eBay, which is not so clearly named in the paper, that DO have an auto-login feature (My eBay), still require entering a password to bid.
Yes, however, using a method described in this paper, when attacking such a site (that does not require a password like ebay, but does provide login/redirect as you describe). An attacker could simply send the request twice, with a timeout between the two, the first to initiate the session, and be redirected, and the second to carry out the wanted command on the target app.
In the case of ebay, the user could be "phished" into entering their password (could be done the "natural" way, by allowing the target app to do this, or could be "enhanced" using javascript and/or XMLHTTP objects), which mitigates but does not eliminate the risk.
Other than that, this is very plausible attack that I would agree hasn't received enough attention. I would also add that in the case of the img tag in the email, an iframe could also be used, similar to recent viruses. It needn't even be visible.
I agree w/ you completely.
Current thread:
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Noah Gray (Dec 20)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Thomas Schreiber (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Ben Timby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications" Florian Weimer (Dec 23)