|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: How to create (hijacking) secure HTTP sessions?
From: Evans, Arian (Arian.Evans
fishnetsecurity.com)
Date: Wed Jun 07 2006 - 14:37:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> >
> > Do not mix SSL sections with non-SSL sections.
>
> What do you mean by this?
>
> > Mark cookies "secure".
>
> Thanks for that point!
I believe he means don't mix encrypted and unencrypted
content in the same security domain.
Some folks take images and other high-overhead items
and *do not* encrypt them for performance reasons, but
keep them in the same FQDN/security zone/domain
e.g.--www.domain.com/
Problem is, if your session token is a cookie, or
anything else the browser automagically coughs up,
then a call to:
http://www.domain.com/non-SSL-speedy-content
Will potentially pass sensitive info in the clear,
like the user session token if token=cookie.
Marking cookies =secure means that the browser
shouldn't pass them in clear if a mistake like
this is made, but I haven't tested that on anything
but IE.
-ae
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]