Session Hijacking Security
- From: 11ack3r <11ack3r@xxxxxxxxx>
- Date: Wed, 16 Apr 2008 16:57:34 +0530
Hi Guys,
Thanks for your answers to my early post.
I saw & tested how easy it was to capture cookies over the network and
hijack sessions.
Now what's the countermeasure? Sites like yahoo.com or any from whole
lot don't use HTTPS after authentication. Is there any other technique
apart from HTTPS that they can use to ensure session hijacking is
thwarted?
How about sending one time cookies that are encrypted? Encryption will
ensure confidentiality and one timeness would mitigate replay attacks.
Is anyone aware of any non-HTTPS implementation that is more secure,
if not completely secure?
Thanks a ton
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- Follow-Ups:
- Re: Session Hijacking Security
- From: arvind doraiswamy
- Re: Session Hijacking Security
- Prev by Date: RE: Re: Microsoft RDP Priv. Escalation
- Next by Date: Autorun programs from flash drive.
- Previous by thread: SAP - Remote Function Call (RFC) hacking
- Next by thread: Re: Session Hijacking Security
- Index(es):
