WebApp Sec mailing list archives
Re: How can i protect against session hijacking?
From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Mon, 30 Mar 2009 08:07:59 -0400
I agree that XSS is the culprit here and IP tagging is a bad idea.I think mutual SSL certificates still provide good mitigation for MiTM assuming the XSS payload is intended to leave a keylogger/spyware on the victim machine. I agree in general that this is your last resort. If you have malware installed on the victim machine you are done unless you authenticate the session with information given to another channel such as SMS
Regards Marco----- Original Message ----- From: "Martin O'Neal" <martin.oneal () corsaire com> To: "Marco M. Morana" <marco.m.morana () gmail com>; "Robin Wood" <dninja () gmail com>
Cc: "Tommy" <tommyrolworslin () fastmail fm>; <webappsec () securityfocus com> Sent: Monday, March 30, 2009 7:14 AM Subject: RE: How can i protect against session hijacking?
Remote IP spoofing at the network layer is more difficult...
Actually the IP restriction argument is a bit of a red halibut; if the app has XSS, then the attacker can simply use the mobile code to run their follow up attack from the victims own workstation. The same goes for the other recommendations on the list around using SSL with client certificates etc; they don't fix the problem, which is the data validation and encoding omissions that allowed the XSS. Once you have an XSS that loses you the session ID you are already screwed; anything else is just tinkering at the edges. Martin... ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street, Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700. Registered in England No. 3338312. Registered office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
Current thread:
- How can i protect against session hijacking? Tommy (Mar 27)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- RE: How can i protect against session hijacking? Debasis Mohanty (Mar 31)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 28)
- RE: How can i protect against session hijacking? Brian Shura (Mar 28)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)