Re: Re: Cookie Security
- From: ellukicq@xxxxxxxxxxx
- Date: 29 Apr 2008 15:33:13 -0000
Hi Audrius,
XSS would definatley leave the suggested method wide open.
Although, you could say that about any method...
With XSS available to an attacker, whatever means I use to manage the session will be weak. even over https. no?
Your suggestion of returning a new SessionID for each request seems reasonable, in fact it's pretty much what I suggested towards the end of my post.
Even so, the token could still be sniffed and used by another client up until the legitimate user requests a page again.
In some cases, this may not happen due to an attackers actions. For example on a switched network, the very same method used to sniff the SessionID could be used to stop any further request from the "real" client... session stolen.
At the very least, this method would leave the application open to denial of service if an attacker can sniff session ID's.
Using client information (Screen res, color depth, flash e.tc.) to help confirm session seems weak. This info is obtained from the client isn't it?
Nothing to stop this being sniffed and spoofed also.
Are there any methods you know of that are able to work around these issues?
I can't imagine any session system will be safe with XSS available to an attacker, so perhaps the best thing to do is go ahead with the suggested method, and take extra care around XSS holes.
I know SSL is the "real" solution, but I wondered if anyone has attempted to secure this common system at an application level. perhaps not. if so thats fine.
Any input you can give would be great.
Thanks.
EL
- Prev by Date: RE: Few interesting topics in Network Security please.
- Next by Date: SAP information sniffing - need help
- Previous by thread: Re: Cookie Security
- Next by thread: Re: Re: Cookie Security
- Index(es):
Relevant Pages
|
