Hi Vishal,
As far as I am aware - no method is fool proof - however some steps I've seen
apps use have been to use a Javascript library to hash the password (and
adding a salt) before transmission and/or also using two factor authentication
such as an secure ID token. You can get a lot of great ideas by looking at
popular web-sites, such as Google or Yahoo's logon pages and putting them
through a proxy such as webscarab or burp.
The aim is to secure the web application such that a users session ID is
transmitted securely between the application server and the users browser;
which is why it is important that you do everything you can to secure that
users session ID - i.e. check for cross site scripting, SQL injection, cross
frame scripting etc. Therefore the developers of the app must do all they can
to follow secure coding guidelines (the OWASP guide is a great reference).
Cheers,
sHz
----- Original Message ----
From: Vishal Garg <vishal@firstbase.co.uk>
To: webappsec@securityfocus.com
Sent: Wednesday, 6 June, 2007 7:41:53 PM
Subject: Login credentials and session id security
Hi All,
Can someone please tell what is the most secure way of sending login
credentials to the server. The possible ways that I am familiar with are:
- get method
- post method
- hidden form fields
By using an encrypted connection we cannot sniff the credentials, but
still it is very easy to capture or manipulate these credentials
using a web proxy from any of these methods. So I am looking to find
a method to transport the credentials to the server so that the
security of these credentials can't be compromised even by deploying
a web proxy.
Also once a session id is generated, what is the best way to maintain
the security of a session id.
Any help would be much appreciated.
Regards
Vishal
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
