-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 20 December 2004 12:17 pm, Elihu Smails wrote:
I agree with the comments that there is a problem on
the development end that session management is
lacking. I am a developer, I can say this.:)
Sessions should track the remote IP address of the
client at a minimum, so that this problem could go
away. Many programs that I have written have custom
session management that track not only client IP, but
browser, any certificate info and username. I will
agree that any of this inforamtion is
obtainable/spoofable, it is not in the context of most
web application security issues such as Session
Riding.
Much discussion has been given in this list about tracking a client IP as a
method of verifying credentials. It has been determined by the list that
this is generally a poor practice, often used to cover up other real
application vulnerabilities. The problem with it is that some services such
as AOL, use multiple proxy servers for their clients, causing a single
client's session to span multiple IP's, and it cannot be conclusively
determined that these IP's are even in the same subnets all the time. It
also does not cover anyone who is on a network that uses NAT as multiple
persons will have the same IP address (especially a corporate network).
Search the archives, and use more appropriate session management techniques.
--- Thomas Schreiber <ts@securenet.de> wrote:
Hello,
I would like to point you to a whitepaper just
released:
SESSION RIDING - A Widespread Vulnerability in
Today's Web Applications
http://www.securenet.de/papers/Session_Riding.pdf
----------
Abstract:
In this paper we describe an issue that was raised
in 2001 under the name of Cross-Site Request
Forgeries (CSRF). It seems, though, that it has been
neglected by the community, as it is not part of
recent Web Application Security discussions, nor is
it mentioned in OWASP's Top Ten or the like. After
having frequently observed this vulnerability in our
Web Application Security assessments of custom Web
applications, we started to examine various public
Web applications and other browser-based
applications:
? popular (commercial) Web sites
? popular browser-based console applications such as
administration tools for databases, servers, etc.
? browser-based administration clients of hardware
devices
? webmail sites and open source and commercial
webmail solutions
We have found out that this vulnerability is present
in many of those sites, services and products, some
of which perform sensitive tasks. Actually, the list
of affected companies contains well-known big
players. Our analysis has led us to the conclusion
that this vulnerability is the most widespread one
in today's Web applications right after Cross-Site
Scripting (XSS). Even worse, in some scenarios it
has to be considered much more dangerous than XSS.
We feel that a concise description of this issue is
necessary, along with a description of scenarios
that highlight the danger to all browser-based
applications that do not provide appropriate
countermeasures, be it Intranet, Internet or console
applications. In this paper, we explain this
vulnerability in depth, show that it may be used
unnoticed by the victim, describe potential threats,
and finally give hints on how to make Web
applications safe from such attacks.
We prefer to call this issue Session Riding which
more figuratively illustrates what is going on.
----------
Feedback is very welcome - especially regarding our
rating/experience as one of the most widespread
vulnerabilities today.
Thomas Schreiber
____________________________________________________________
SecureNet GmbH - http://www.securenet.de
+49 89/32133-610
mailto:ts@securenet.de
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFByCcvmXZROF+EADURAkY+AJwP1wMRKmvvkB7PY0FjEBtIYjqEGwCeKu4l
hDEATTFZh60T/Oq59N+KfFc=
=j7Ll
-----END PGP SIGNATURE-----
