WebApp Sec mailing list archives
RE: How can i protect against session hijacking?
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Mon, 30 Mar 2009 12:14:41 +0100
Remote IP spoofing at the network layer is more difficult...
Actually the IP restriction argument is a bit of a red halibut; if the app has XSS, then the attacker can simply use the mobile code to run their follow up attack from the victims own workstation. The same goes for the other recommendations on the list around using SSL with client certificates etc; they don't fix the problem, which is the data validation and encoding omissions that allowed the XSS. Once you have an XSS that loses you the session ID you are already screwed; anything else is just tinkering at the edges. Martin...
Current thread:
- How can i protect against session hijacking? Tommy (Mar 27)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- RE: How can i protect against session hijacking? Debasis Mohanty (Mar 31)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 28)
- RE: How can i protect against session hijacking? Brian Shura (Mar 28)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)