Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ASP authentication

from [Cedric Blancher] Network Security [Permanent Link]
Subject: Re: ASP authentication
Date: Thu, 26 Aug 2004 10:34:48 +0200 
Le mar 24/08/2004 à 16:12, Bénoni MARTIN a écrit :

Googling around, I saw a couple of ways to meet my needs, but all seem to be 
weak:
-  I can set a hidden field where I can say "yes, he is authenticated"
or "no, he is not", but anyone a little bit skilled can create a fake
request having this set up by hand (with a proxy ! ),


True.
Never forget that this kind of info is visible to client, and can be
modified/added at will.


-  I can check a session number or smth like that on each page...but
this does not seem very reliable,


It is the most used technic to maintain session. For each page, you
calculate a hash from different user and session specific informations
such as login, IP, date, random value, etc. Then you put this as a
cooky. On next page, you check the cooky, and, if verified, you set
another and go on. One time cooky... And if cooky's are not supported by
client, put this value within URL links.

Maybe it will be more efficient and simple to use builtin ASP session
management that seems to do its job quite well :

        http://www.w3schools.com/asp/asp_sessions.asp



-  I can check IP adress...but when you use AOL for instance, IP
adresses can change !


2 clients between the same address. The first one authenticates and the
second one can log automaticly...

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: tcp port 999, Gary H. Jones II
Next by Date:  Re: QualysGuard, Richard Nootebos
Previous by Thread:  ASP authentication, Bénoni MARTIN
Next by Thread:  RE: Ethereal Crashing on WinXP SP2, Alan Davies
Indexes:  [Date] [Thread] [Top] [All Lists]