WebApp Sec mailing list archives

Re: How can i protect against session hijacking?

From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Mon, 30 Mar 2009 08:07:59 -0400

I agree that XSS is the culprit here and IP tagging is a bad idea.

I think mutual SSL certificates still provide good mitigation for MiTMassuming the XSS payload is intended to leave a keylogger/spyware on thevictim machine.I agree in general that this is your last resort. If you have malwareinstalled on the victim machine you are done unless you authenticate thesession with information given to another channel such as SMS


Regards

Marco

----- Original Message -----From: "Martin O'Neal" <martin.oneal () corsaire com>To: "Marco M. Morana" <marco.m.morana () gmail com>; "Robin Wood"<dninja () gmail com>

Cc: "Tommy" <tommyrolworslin () fastmail fm>; <webappsec () securityfocus com>
Sent: Monday, March 30, 2009 7:14 AM
Subject: RE: How can i protect against session hijacking?

Remote IP spoofing at the network layer is more difficult...


Actually the IP restriction argument is a bit of a red halibut; if the
app has XSS, then the attacker can simply use the mobile code to run
their follow up attack from the victims own workstation.  The same goes
for the other recommendations on the list around using SSL with client
certificates etc; they don't fix the problem, which is the data
validation and encoding omissions that allowed the XSS.

Once you have an XSS that loses you the session ID you are already
screwed; anything else is just tinkering at the edges.

Martin...


----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street,
Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
Registered in England No. 3338312. Registered office: Portland House,
Park Street, Bagshot, Surrey GU19 5PG.

Current thread:

How can i protect against session hijacking? Tommy (Mar 27)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)
  - Re: How can i protect against session hijacking? Robin Wood (Mar 30)
    - Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Debasis Mohanty (Mar 31)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 28)
- RE: How can i protect against session hijacking? Brian Shura (Mar 28)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 30)