RE: How can i protect against session hijacking?

["Debasis Mohanty" <debasis.mohanty.listmails () gmail com>]

Not sure if I have understood you correctly or I am bit off here; Can you
explain what you mean by - "simply gaining
control of, or being able to generate, the session token (which is clearly a
form of session hijacking)" ? "

I failed to understand here how someone can simply gain control over the
session without relying upon any other attack? 

Regarding " generate, the session token " - if the session is guessable or
can be generated by session pattern analysis then it is clear case of weak
session issue. Isin't it weak (or predictable) session issue is different
from session hijacking? In other words, here session hijacking is possible
provided the adverse user is successfully able to guess/predict the
sessions. 

-d




________________________________________
From: David Scholefield [mailto:david () port80 com] 
Sent: 02 April 2009 13:55
To: Debasis Mohanty
Cc: 'Tommy'; webappsec () securityfocus com
Subject: Re: How can i protect against session hijacking?


On 30 Mar 2009, at 21:18, Debasis Mohanty wrote:


Session
hijacking is not a vulnerability by itself; a malicious user has to rely
upon other vulnerabilities like XSS and related attacks to gain access to
victim's session.

This isn't really accurate in my opinion - consider the case when a session
token is used as the only identification and authentication mechanism that 
controls access to protected resources. In this instance, simply gaining
control of, or being able to generate, the session token (which is clearly a
form of session hijacking) will lead to data compromise without any other
form of attack. This is sometimes achievable by simply manually creating
a token within a HTTP request.

Session hijacking - on it's own - is a serious vulnerability that may
require
no other vulnerability to enable exploitation to take place.

----
Dr David Scholefield, CISSP, OPST, MBCS
07525 624 997
www.port80.com

Security in a connected world