NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > WWW-Mobile-Code> 2006-q2

RE: How to create (hijacking) secure HTTP sessions?

From: Evans, Arian (Arian.Evansfishnetsecurity.com)
Date: Wed Jun 07 2006 - 14:21:53 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I know in the US many of the apps I work on, Jason's suggestions are not viable.

1) Most common frameworks have no way to associate sessions, sessionID,
with user/userID

2) They require concurrent logins for this reason (due to the number
of usability implications)

3) SSL session ID was broken by IE way back in 1999, when it changed
to renegotiate every 120 seconds to offset the weakness of 40 bit SSL
if I recall correctly. Unsure what the behavior is today, I may be
incorrect, but pretty sure every time I've looked it still does this.

4) IP does not work. Old discussion here, plenty of threads. In a
nutshell, you have ISPs who dynamically proxy (AOL is the biggest),
countries who proxy and dynamically proxy (China, Saudi, etc.), and
corporations who NAT/proxy and in a few cases dynamically proxy their
user base (think pooled-NAT on a Cisco Router/Pix).

1, 2, 3, 6, 7 all look good.

Has anybody written a single guide to session handling yet?

Otherwise, Michael, there's a smattering of papers you should
read, from the Across Session Fixation paper to the SecureNet
'SessionRiding' paper, and the papers they reference, for starters.

Also just noticed some other excellent responses, refer to those,
except for the above disagreements/caveats, if they apply to the
class of webapp you are developing.

-ae

> -----Original Message-----
> From: Jason Muskat [mailto:JasonTechDude.Ca]
> Sent: Friday, June 02, 2006 9:19 PM
> To: Michael Decker; webappsecsecurityfocus.com
> Subject: Re: How to create (hijacking) secure HTTP sessions?
>
> Hello,
>
> You have the major parts, especially "HTTP session ID joined
> with IP and SSL
> session ID'. Most web-apps don't do this, but they should.
>
> To that one should add
>
> A) allow only one active login
>
> Regards,
>
> --
> Jason Muskat | GCUX - de VE3TSJ
> ____________________________
> TechDude
> e. JasonTechDude.Ca
> m. 416 .414 .9934
>
> http://TechDude.Ca/
>
>
> > From: Michael Decker <MDeckertesis.de>
> > Organization: Tesis SYSware GmbH
> > Date: Thu, 01 Jun 2006 09:13:50 +0200
> > To: <webappsecsecurityfocus.com>
> > Subject: How to create (hijacking) secure HTTP sessions?
> >
> > Hi!
> >
> > I tried to figure out, how to create HTTP session, that are
> not so easy
> > to hijack.
> >
> > So I think about that mechanisms:
> >
> > * Using HTTPs
> > * Randomize HTTP session IDs
> > * Only create HTTP session ID after login
> > * HTTP session ID joined with IP and SSL session ID
> > * Block all session ID usings, that do'nt match IP and SSL
> session ID
> > * Set HTTP session timeout
> > * Expire HTTP session after logout
> >
> > Is that all? Is there any mechanism, that isn't a good idea?
> >
> > Bye,
> > Michael
> >
> > --
> > Michael Decker Michael.Deckertesis.de
> > TESIS SYSware GmbH http://www.tesis.de
> > Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0
> >
> >
> >
> --------------------------------------------------------------
> -----------
> > Sponsored by: Watchfire
> >
> > Watchfire named worldwide market share leader in web application
> > security assessment by leading market research firm.
> Watchfire's AppScan
> > is the industry's first and leading web application security testing
> > suite, and the only solution to provide comprehensive and
> consolidated
> > remediation task lists at every level of the application. See for
> > yourself.
> > Download a Free Trial of AppScan 6.0 today!
> >
> >
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300
> 000007t9c
> >
> --------------------------------------------------------------
> ------------
> >
>
>
>
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web application
> security assessment by leading market research firm.
> Watchfire's AppScan
> is the industry's first and leading web application security testing
> suite, and the only solution to provide comprehensive and consolidated
> remediation task lists at every level of the application. See for
> yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300
> 000007t9c
> --------------------------------------------------------------
> ------------
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]