Web Application Security
Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 01:13AM
Thomas Schreiber (ts securenet de) (7 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:17PM
Elihu Smails (elihusmails2000 yahoo com) (5 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:17PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 01:37PM
Joseph Miller (joseph tidetamerboatlifts com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 01:37PM
Joseph Miller (joseph tidetamerboatlifts com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 07:20AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 06:47PM
Elihu Smails (elihusmails2000 yahoo com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 07:20AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 06:47PM
Elihu Smails (elihusmails2000 yahoo com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 03:00PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 05:47PM
Florian Weimer (fw deneb enyo de) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:07AM
Shade (shade wastelands gen nz)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 03:00PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 05:47PM
Florian Weimer (fw deneb enyo de) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:07AM
Shade (shade wastelands gen nz)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 17 2004 08:36AM
Philippe P. (webappsec philippe prados name) (2 replies)
Hello,

I like this paper ( http://www.securenet.de/papers/Session_Riding.pdf ), but
i would like to make some comments:

- In chapter 6.3.1, you say a javascript can help to submit the URL 1) and
the URL 2).

I think it's not necessary to use javascript for that. It's possible to
return a special page with an image with a bad link, and a new link to
manage the next step. The next step make exactely the same, a page with
image and next step. I think it's possible to make a complex scenario with
this approach.

- In chapter 6, you propose countermeasures. But, your propositions
are complexes. A better approach is to check the header Referer for each
request with parameter. If the Referer is not compatible the the site, you
can reject the request. It's very easy to install, and you can continue to
use the HTTP cache.

Regards

Philippe PRADOS

[ reply ]
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 02:44PM
Joseph Miller (joseph tidetamerboatlifts com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:15PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 09:54AM
Shade (shade wastelands gen nz) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:09PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:09PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 10:40PM
Yvan G.J. Boily (yboily seccuris com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:04PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:56PM
Mark Burnett (mb xato net) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 10:40PM
Yvan G.J. Boily (yboily seccuris com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:04PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:56PM
Mark Burnett (mb xato net) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 05:08PM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 05:10PM
Sverre H. Huseby (shh thathost com)


 

Privacy Statement
Copyright 2010, SecurityFocus