WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How to create (hijacking) secure HTTP sessions?

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 7 Jun 2006 14:37:01 -0500



Do not mix SSL sections with non-SSL sections.


What do you mean by this?


Mark cookies "secure".


Thanks for that point!


I believe he means don't mix encrypted and unencrypted
content in the same security domain.

Some folks take images and other high-overhead items
and *do not* encrypt them for performance reasons, but
keep them in the same FQDN/security zone/domain
e.g.--www.domain.com/ 

Problem is, if your session token is a cookie, or
anything else the browser automagically coughs up,
then a call to:

http://www.domain.com/non-SSL-speedy-content

Will potentially pass sensitive info in the clear,
like the user session token if token=cookie.

Marking cookies =secure means that the browser
shouldn't pass them in clear if a mistake like
this is made, but I haven't tested that on anything
but IE.

-ae





-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: