Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Web Application Security
Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 01:13AM
Thomas Schreiber (ts securenet de) (7 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:17PM
Elihu Smails (elihusmails2000 yahoo com) (5 replies)
I agree with the comments that there is a problem on
the development end that session management is
lacking. I am a developer, I can say this.:)
Sessions should track the remote IP address of the
client at a minimum, so that this problem could go
away. Many programs that I have written have custom
session management that track not only client IP, but
browser, any certificate info and username. I will
agree that any of this inforamtion is
obtainable/spoofable, it is not in the context of most
web application security issues such as Session
Riding.

--- Thomas Schreiber <ts (at) securenet (dot) de [email concealed]> wrote:

> Hello,
>
> I would like to point you to a whitepaper just
> released:
>
> SESSION RIDING - A Widespread Vulnerability in
> Today's Web Applications
> http://www.securenet.de/papers/Session_Riding.pdf
>
> ----------
> Abstract:
>
> In this paper we describe an issue that was raised
> in 2001 under the name of Cross-Site Request
> Forgeries (CSRF). It seems, though, that it has been
> neglected by the community, as it is not part of
> recent Web Application Security discussions, nor is
> it mentioned in OWASP's Top Ten or the like. After
> having frequently observed this vulnerability in our
> Web Application Security assessments of custom Web
> applications, we started to examine various public
> Web applications and other browser-based
> applications:
>
> ? popular (commercial) Web sites
> ? popular browser-based console applications such as
> administration tools for databases, servers, etc.
> ? browser-based administration clients of hardware
> devices
> ? webmail sites and open source and commercial
> webmail solutions
>
> We have found out that this vulnerability is present
> in many of those sites, services and products, some
> of which perform sensitive tasks. Actually, the list
> of affected companies contains well-known big
> players. Our analysis has led us to the conclusion
> that this vulnerability is the most widespread one
> in today's Web applications right after Cross-Site
> Scripting (XSS). Even worse, in some scenarios it
> has to be considered much more dangerous than XSS.
>
> We feel that a concise description of this issue is
> necessary, along with a description of scenarios
> that highlight the danger to all browser-based
> applications that do not provide appropriate
> countermeasures, be it Intranet, Internet or console
> applications. In this paper, we explain this
> vulnerability in depth, show that it may be used
> unnoticed by the victim, describe potential threats,
> and finally give hints on how to make Web
> applications safe from such attacks.
>
> We prefer to call this issue Session Riding which
> more figuratively illustrates what is going on.
> ----------
>
> Feedback is very welcome - especially regarding our
> rating/experience as one of the most widespread
> vulnerabilities today.
>
> Thomas Schreiber
>
____________________________________________________________
> SecureNet GmbH - http://www.securenet.de
> +49 89/32133-610
> mailto:ts (at) securenet (dot) de [email concealed]
>
>

__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com

[ reply ]
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:17PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 01:37PM
Joseph Miller (joseph tidetamerboatlifts com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 01:37PM
Joseph Miller (joseph tidetamerboatlifts com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 07:20AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 06:47PM
Elihu Smails (elihusmails2000 yahoo com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 07:20AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 06:47PM
Elihu Smails (elihusmails2000 yahoo com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 03:00PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 05:47PM
Florian Weimer (fw deneb enyo de) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:07AM
Shade (shade wastelands gen nz)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 03:00PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 05:47PM
Florian Weimer (fw deneb enyo de) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:07AM
Shade (shade wastelands gen nz)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 17 2004 08:36AM
Philippe P. (webappsec philippe prados name) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 02:44PM
Joseph Miller (joseph tidetamerboatlifts com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:15PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 09:54AM
Shade (shade wastelands gen nz) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:09PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:09PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 10:40PM
Yvan G.J. Boily (yboily seccuris com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:04PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:56PM
Mark Burnett (mb xato net) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 10:40PM
Yvan G.J. Boily (yboily seccuris com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:04PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:56PM
Mark Burnett (mb xato net) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 05:08PM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 05:10PM
Sverre H. Huseby (shh thathost com)







 

Privacy Statement
Copyright 2009, SecurityFocus