WebApp Sec mailing list archives
Regeneration of Session Tokens (from the OWASP Guide)
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Mon, 1 May 2006 05:28:53 -0700 (PDT)
In the great owasp guide there's a sub-topic on session management, and it goes like; " ... To reduce the risk from session hijacking and brute force attacks, the HTTP server can seamlessly expire and regenerate tokens. This shortens the window of opportunity for a replay or brute force attack. ... How to protect yourself This control is suited for highly protected sites. Token regeneration should be performed: prior to any significant transaction ... " I'm aware that in the guide, regenerating the session id is meant to solve another problem: "to shorten the window of opportunity for a replay or brute force attack". But I just wanted to share this: If I understand the word "prior" correctly, this may result in another way to steal session ids in an xss vulnerable application. If the attack code can't get the cookie via "document.cookie" (HttpOnly), it may use XST. If the attack code can't get the cookie via XST (TRACE closed on servers and on proxies), then it may employ (XMLHTTPRequest) GET request with a "significant action form" as the target URL. Then application returns the new sessionid prior the significant action and attack code grabs the session id. So, alternatively, we may regenerate sessionid "immediately after" the critical action for which another password is being asked in the "critical action form". -pilon __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Regeneration of Session Tokens (from the OWASP Guide) Pilon Mntry (May 01)
- RE: Regeneration of Session Tokens (from the OWASP Guide) M. Burnett (May 03)
- RE: Regeneration of Session Tokens (from the OWASP Guide) Pilon Mntry (May 03)
- RE: Regeneration of Session Tokens (from the OWASP Guide) M. Burnett (May 03)