Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Session Hijacking Security

from [arvind doraiswamy] Network Security [Permanent Link]
Subject: Re: Session Hijacking Security
Date: Wed, 16 Apr 2008 23:58:37 +0530 
HTTPS as you say is an absolute must so that people can't steal
cookies using which they can hijack your session. Other "best
practices" to follow would be:

a) Ensure that a valid session ID lasts only for a short interval. The
more sensitive the application the shorter the time duration.

b) Destroy the session ID on logout. In ASP apps ensure that the
browser instance itself is closed if you're using the default
ASPSESSIONID.

c) Terminate the "hijacked" session immediately; as soon as you see a
second login attempt. This though could be manipulated for a DOS
attack. I guess "one time cookies" fall inot this bracket? And they're
usually encrypted anyway by default..as in they are quite random by
default in both ASP and JSP apps.

d) If possible how about the usage of page tokens as well; for every
critical page? Even if the session ID gets hijacked the guy won't be
able to get at your data as he can't predict the page token. How many
and what pages using page tokens though is up to you based on how your
app performs.

Really though HTTPS drops the risk a lot and a lot of these other
attacks while very much possible do require some understanding of how
the app works. Thats it off the top of my head :)

Cheers
Arvind

On Wed, Apr 16, 2008 at 4:57 PM, 11ack3r <11ack3r@gmail.com> wrote:

Hi Guys,

 Thanks for your answers to my early post.

 I saw & tested how easy it was to capture cookies over the network and
 hijack sessions.

 Now what's the countermeasure? Sites like yahoo.com or any from whole
 lot don't use HTTPS after authentication. Is there any other technique
 apart from HTTPS that they can use to ensure session hijacking is
 thwarted?

 How about sending one time cookies that are encrypted? Encryption will
 ensure confidentiality and one timeness would mitigate replay attacks.

 Is anyone aware of any non-HTTPS implementation that is more secure,
 if not completely secure?

 Thanks a ton

 ------------------------------------------------------------------------
 This list is sponsored by: Cenzic

 Need to secure your web apps NOW?
 Cenzic finds more, "real" vulnerabilities fast.
 Click to try it, buy it or download a solution FREE today!

 http://www.cenzic.com/downloads
 ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Autorun programs from flash drive., Gadi Evron
Next by Date:  Re: creating fake APs, pinowudi
Previous by Thread:  Session Hijacking Security, 11ack3r
Next by Thread:  Autorun programs from flash drive., arckeda
Indexes:  [Date] [Thread] [Top] [All Lists]