WebApp Sec mailing list archives
Re: How to create (hijacking) secure HTTP sessions?
From: "Ivan Ristic" <ivan.ristic () gmail com>
Date: Sat, 3 Jun 2006 08:49:04 +0100
On 6/1/06, Michael Decker <MDecker () tesis de> wrote:
Hi! I tried to figure out, how to create HTTP session, that are not so easy to hijack. So I think about that mechanisms: * Using HTTPs * Randomize HTTP session IDs * Only create HTTP session ID after login * HTTP session ID joined with IP and SSL session ID * Block all session ID usings, that do'nt match IP and SSL session ID * Set HTTP session timeout * Expire HTTP session after logout
You've missed two mechanisms that work 100%: * Use private client certificates and attach certificates to session IDs. * Use Digest for authentication. (Yes, I know, not very likely.) You can also add: * Session inactivity timeout.
* Only create HTTP session ID after login
This should be "Re-generate session IDs after authentication takes place". In many situations you will need to have a proper session even before authentication, if not for anything else then for tracking purposes.
Is that all? Is there any mechanism, that isn't a good idea? ... * Using HTTPs
Do not mix SSL sections with non-SSL sections. Mark cookies "secure".
* Randomize HTTP session IDs
But they should also be long, not start repeating too fast, and not based (only) on the information also known to the attacker (e.g. IP address).
* HTTP session ID joined with IP and SSL session ID
Here you need to have in mind that there's nothing in the spec to say the browser must continue to use the same SSL session throughout the application session. So while this works in some circumstances it doesn't in many others.
* Block all session ID usings, that do'nt match IP and SSL session ID
Depending on where your users are you may realise their IP address will change during the session (if they are using a proxy or ISDN to connect to the Internet). It's probably better to use the User-Agent field but that does not protect you from a determined attacker (who can spoof it). PI prefer to only log the violations of the changes to the IP address and the User-Agent field. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Nathan Keltner (Jun 08)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Rogan Dawes (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? stefano (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- <Possible follow-ups>
- RE: How to create (hijacking) secure HTTP sessions? Evans, Arian (Jun 08)
- RE: How to create (hijacking) secure HTTP sessions? Evans, Arian (Jun 08)