Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to create (hijacking) secure HTTP sessions?

from [Jason Muskat] Network Security [Permanent Link]
Subject: Re: How to create (hijacking) secure HTTP sessions?
Date: Fri, 02 Jun 2006 22:18:45 -0400 
Hello,

You have the major parts, especially "HTTP session ID joined with IP and SSL
session ID'. Most web-apps don't do this, but they should.

To that one should add

A) allow only one active login

Regards,

-- 
Jason Muskat  | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934

http://TechDude.Ca/



From: Michael Decker <MDecker@tesis.de>
Organization: Tesis SYSware GmbH
Date: Thu, 01 Jun 2006 09:13:50 +0200
To: <webappsec@securityfocus.com>
Subject: How to create (hijacking) secure HTTP sessions?

Hi!

I tried to figure out, how to create HTTP session, that are not so easy
to hijack.

So I think about that mechanisms:

* Using HTTPs
* Randomize HTTP session IDs
* Only create HTTP session ID after login
* HTTP session ID joined with IP and SSL session ID
* Block all session ID usings, that do'nt match IP and SSL session ID
* Set HTTP session timeout
* Expire HTTP session after logout

Is that all? Is there any mechanism, that isn't a good idea?

Bye,
Michael

-- 
Michael Decker                      Michael.Decker@tesis.de
TESIS SYSware GmbH                      http://www.tesis.de
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------





-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Salt Storage - web.config or database?, cynthia . peluso
Next by Date:  Re: Salt Storage - web.config or database?, Dean H. Saxe
Previous by Thread:  How to create (hijacking) secure HTTP sessions?, Michael Decker
Next by Thread:  Re: How to create (hijacking) secure HTTP sessions?, Adam Tuliper
Indexes:  [Date] [Thread] [Top] [All Lists]