WebApp Sec mailing list archives
Re: Maia Mailgaurd http://www.renaissoft.com/maia/
From: Chuck <chuck.lists () gmail com>
Date: Wed, 20 Jul 2005 16:16:32 -0400
Responses below....
!! > In short, it is much simpler to steal session ids from cookies than from !! > URL, exceptions see below. !! !! No, they are both easy. "both easy" disagreed, explanation see below
....
In 90% or more of cases XSS is present in a transient form, that is you have to pass the stealing-code in a link (in an email or another website) to the user.
Okay, that makes sense. I was thinking of stored XSS, but you are correct that putting the session ID in the URL makes reflected XSS difficult. You may be able to do it along with session fixation, but it would depend on the application as to how well it would work. Of course, ideally the application won't have any XSS in it in the first place.
Other pro-URL-rewriting arguments: - perhaps the second top most vulnerability after XSS in web applications today is Session Riding (aka CSRF, aka web trojan, see http://www.securenet.de/papers/Session_Riding.pdf) URL rewriting is safe against Session Riding. With cookies you have to take further measures.
I agree that CSRF is a common problem, but there are other ways to solve the problem that don't require URL-rewriting. Basically, include a random value in a hidden field of each form and when the form is submitted, if that value does not match what it should be, the submission is ignored. You could probably use the session ID instead of a random value, that may be a little easier to implement.
- Session Fixation, although not generelly impossible with URL rewriting, is much more often encountered with cookie-based session management.
I think that session fixation is much easier with the session ID in the URL. For example, if I want a user to use session id 1234, I can easily send them a link to https://vulnerable.tld/appl.cgi;sid=1234 while it is more difficult to set a cookie on the victim's browser for the domain vulnerable.tld. Maybe there is something I am missing here.
Of course, there are disadvantages of URL rewriting and it depends on the application: - application has to ensure that the session ID is not within other links - application has to ensure that the page does not contain links to external websites 'cause it then will send the session ID in the refer(r)er header
I would add the three I mentioned previously: - Session ID may be logged in proxy, etc - User may send URL with Session ID to someone - User may expose Session ID to others on screen / screenshots (shoulder surfing)
But in general I tend to recommend URL rewriting over cookies. Best, of course, is to use both: the session ID inside a cookie and an additional secret inside the URL. But this is much more expensive as it is not automatically handeled by todays libs and frameworks.
I'd say that each has its own pluses and minuses. I agree that using two different session IDs in the URL and in a cookie would be best, hopefully frameworks will support that easily soon. In response to someone else that mentioned that another option is to use a hidden form field as a session ID. That has merits, but I am not sure I like having every click in the application be a form submission. Have a good one. Chuck
Current thread:
- Maia Mailgaurd http://www.renaissoft.com/maia/ Christopher Canova (Jul 16)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- RE: Maia Mailgaurd http://www.renaissoft.com/maia/ Guillaume Vissian (Jul 18)
- PHP Session ID's focus (Jul 19)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 21)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Andy bentley (Jul 18)