[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [WEB SECURITY] Session hijacking protection

From: Gabriel Kälin <Gabriel.Kaelin@xxxxxxxxxxx>
Subject: AW: [WEB SECURITY] Session hijacking protection
Date: Mon, 9 Jul 2007 13:17:22 +0200

Hi Frederic

I think the article is well written in that it provides an attempt of how to link user information other than just the cookie value for session access granting. But the measures are still very primitive and it's worthful to have a look at the caveats as pointed out in the article.

If you want a website to be accessible for everybody, you probably don't want to exclude a user group just because one simple criterium - such as a constant IP or network address - is not met. As long as there are "regular" situations that can result in a violation of your criteria, you may turn away clients from the website.

Of course it always depends on the user base of your application how restrictive you want to be. In a company-network, you may have control over the clients and the network they use, so you can be more restrictive and grant access based on simple criteria.

In general, however, I think, the way to go is rather that you think of flexible metrics that end in an indication how "sane" a session is, assuming the request will be processed. Changes in properties of a request can be reflected as a change in the sanity-level of a session. As properties of a request you can think of the source IP-address, HTTP headers, SSL session ID or combinations thereof etc. Finally, based on the sanity-level, you can decide what action to take, e.g. denying access or raising an alert.

A major difference to the method in the article is, that a request is granted access based on request and session history and without the need of modifying a cookie with a hmac.

I'm not aware of any framework using such a mechanism and it's not obvious what criteria are most powerful to prevent session hijacking. I'm wondering whether some people have more information about such metrics.

Gabriel

________________________________

Von: frederic.lebeau@xxxxxxxxxx [mailto:frederic.lebeau@xxxxxxxxxx]
Gesendet: Do 05.07.2007 14:00
An: websecurity@xxxxxxxxxxxxx
Betreff: [WEB SECURITY] Session hijacking protection

Hello,

I'm investigating about session linkage with IP adress + other user related
info.
An old article i'v found:
http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

What do you think about this kind of protection?
Is there other user parameters that we can use to trust the user?

Thanks for the feedback wich is always very interesting...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- RE: [WEB SECURITY] Session hijacking protection
  - From: Boaz Shunami

References:
- [WEB SECURITY] Session hijacking protection
  - From: frederic . lebeau

Prev by Date: [WEB SECURITY] Secure Programming with Static Analysis
Next by Date: [WEB SECURITY] XWW - cross webmail Worn - PoC
Previous by thread: [WEB SECURITY] Session hijacking protection
Next by thread: RE: [WEB SECURITY] Session hijacking protection
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site