WebApp Sec mailing list archives
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"
From: Joseph Miller <joseph () tidetamerboatlifts com>
Date: Tue, 21 Dec 2004 08:37:47 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 20 December 2004 12:17 pm, Elihu Smails wrote:
I agree with the comments that there is a problem on the development end that session management is lacking. I am a developer, I can say this.:) Sessions should track the remote IP address of the client at a minimum, so that this problem could go away. Many programs that I have written have custom session management that track not only client IP, but browser, any certificate info and username. I will agree that any of this inforamtion is obtainable/spoofable, it is not in the context of most web application security issues such as Session Riding.
Much discussion has been given in this list about tracking a client IP as a method of verifying credentials. It has been determined by the list that this is generally a poor practice, often used to cover up other real application vulnerabilities. The problem with it is that some services such as AOL, use multiple proxy servers for their clients, causing a single client's session to span multiple IP's, and it cannot be conclusively determined that these IP's are even in the same subnets all the time. It also does not cover anyone who is on a network that uses NAT as multiple persons will have the same IP address (especially a corporate network). Search the archives, and use more appropriate session management techniques.
--- Thomas Schreiber <ts () securenet de> wrote:Hello, I would like to point you to a whitepaper just released: SESSION RIDING - A Widespread Vulnerability in Today's Web Applications http://www.securenet.de/papers/Session_Riding.pdf ---------- Abstract: In this paper we describe an issue that was raised in 2001 under the name of Cross-Site Request Forgeries (CSRF). It seems, though, that it has been neglected by the community, as it is not part of recent Web Application Security discussions, nor is it mentioned in OWASP's Top Ten or the like. After having frequently observed this vulnerability in our Web Application Security assessments of custom Web applications, we started to examine various public Web applications and other browser-based applications: popular (commercial) Web sites popular browser-based console applications such as administration tools for databases, servers, etc. browser-based administration clients of hardware devices webmail sites and open source and commercial webmail solutions We have found out that this vulnerability is present in many of those sites, services and products, some of which perform sensitive tasks. Actually, the list of affected companies contains well-known big players. Our analysis has led us to the conclusion that this vulnerability is the most widespread one in today's Web applications right after Cross-Site Scripting (XSS). Even worse, in some scenarios it has to be considered much more dangerous than XSS. We feel that a concise description of this issue is necessary, along with a description of scenarios that highlight the danger to all browser-based applications that do not provide appropriate countermeasures, be it Intranet, Internet or console applications. In this paper, we explain this vulnerability in depth, show that it may be used unnoticed by the victim, describe potential threats, and finally give hints on how to make Web applications safe from such attacks. We prefer to call this issue Session Riding which more figuratively illustrates what is going on. ---------- Feedback is very welcome - especially regarding our rating/experience as one of the most widespread vulnerabilities today. Thomas Schreiber____________________________________________________________SecureNet GmbH - http://www.securenet.de +49 89/32133-610 mailto:ts () securenet de__________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFByCcvmXZROF+EADURAkY+AJwP1wMRKmvvkB7PY0FjEBtIYjqEGwCeKu4l hDEATTFZh60T/Oq59N+KfFc= =j7Ll -----END PGP SIGNATURE-----
Current thread:
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications", (continued)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Joseph Miller (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)