Perhaps the applications that are more likely to be exploited are
those that the user stays logged in and that periodically refreshes
theirselves, like webmails. I don't see them as a huge threat for
systems like Internet Bankings, for example.
I general I would agree. In experience I'm still surprised how often
systems have fundamentally broken session management, or it's a service
provider model and the first tier 'client' has control of session timeout
and sets it to infinite for their 'clients'. SP blames client for this
practice and client says security is SP issue and no resolution in the end.
Or my all time favorite is the billpay app with the session token
cookies that to this day I believe still go 1078, 1086, 1097, 1099, [....]
Thank goodness I read that paper those Bindview guys wrote on doing
3 Dimensional modeling of IP space. I stole some perl scripts from
Rogan Dawes and tried that out, otherwise I might have missed that one.
It was not some increment-by-one that could be observed by a tester of
my skill each time I'd log in and out. It would jump by four or six or
sometimes ten because they had cryptographically obscured the value
incrementation due to the fact other people were logging in and out
of the application at the same time. Clever.
I recommended they take the session token (1111) + username (aevans)
and encrypt it (1111nrinaf) but they did not listen to me.
U2FmZSBhbmQgSGFwcHkgSG9saWRheXMh
RG9uJ3QgdGFrZSB0aGlzIHRvbyBzZXJpb3VzbHkh
Everyone take care,
Arian
The information transmitted in this e-mail is intended only for the addressee
and may contain confidential and/or privileged material.
Any interception, review, retransmission, dissemination, or other use of, or
taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to
criminal or civil liability. If you received this communication
in error, please contact us immediately at 816.421.6611, and delete the
communication from any computer or network system.
