On Monday 20 December 2004 12:17 pm, Elihu Smails wrote:
> I agree with the comments that there is a problem on
> the development end that session management is
> lacking. I am a developer, I can say this.:)
> Sessions should track the remote IP address of the
> client at a minimum, so that this problem could go
> away. Many programs that I have written have custom
> session management that track not only client IP, but
> browser, any certificate info and username. I will
> agree that any of this inforamtion is
> obtainable/spoofable, it is not in the context of most
> web application security issues such as Session
> Riding.
Much discussion has been given in this list about tracking a client IP as a
method of verifying credentials. It has been determined by the list that
this is generally a poor practice, often used to cover up other real
application vulnerabilities. The problem with it is that some services such
as AOL, use multiple proxy servers for their clients, causing a single
client's session to span multiple IP's, and it cannot be conclusively
determined that these IP's are even in the same subnets all the time. It
also does not cover anyone who is on a network that uses NAT as multiple
persons will have the same IP address (especially a corporate network).
Search the archives, and use more appropriate session management techniques.
>
> --- Thomas Schreiber <ts (at) securenet (dot) de [email concealed]> wrote:
> > Hello,
> >
> > I would like to point you to a whitepaper just
> > released:
> >
> > SESSION RIDING - A Widespread Vulnerability in
> > Today's Web Applications
> > http://www.securenet.de/papers/Session_Riding.pdf
> >
> > ----------
> > Abstract:
> >
> > In this paper we describe an issue that was raised
> > in 2001 under the name of Cross-Site Request
> > Forgeries (CSRF). It seems, though, that it has been
> > neglected by the community, as it is not part of
> > recent Web Application Security discussions, nor is
> > it mentioned in OWASP's Top Ten or the like. After
> > having frequently observed this vulnerability in our
> > Web Application Security assessments of custom Web
> > applications, we started to examine various public
> > Web applications and other browser-based
> > applications:
> >
> > ? popular (commercial) Web sites
> > ? popular browser-based console applications such as
> > administration tools for databases, servers, etc.
> > ? browser-based administration clients of hardware
> > devices
> > ? webmail sites and open source and commercial
> > webmail solutions
> >
> > We have found out that this vulnerability is present
> > in many of those sites, services and products, some
> > of which perform sensitive tasks. Actually, the list
> > of affected companies contains well-known big
> > players. Our analysis has led us to the conclusion
> > that this vulnerability is the most widespread one
> > in today's Web applications right after Cross-Site
> > Scripting (XSS). Even worse, in some scenarios it
> > has to be considered much more dangerous than XSS.
> >
> > We feel that a concise description of this issue is
> > necessary, along with a description of scenarios
> > that highlight the danger to all browser-based
> > applications that do not provide appropriate
> > countermeasures, be it Intranet, Internet or console
> > applications. In this paper, we explain this
> > vulnerability in depth, show that it may be used
> > unnoticed by the victim, describe potential threats,
> > and finally give hints on how to make Web
> > applications safe from such attacks.
> >
> > We prefer to call this issue Session Riding which
> > more figuratively illustrates what is going on.
> > ----------
> >
> > Feedback is very welcome - especially regarding our
> > rating/experience as one of the most widespread
> > vulnerabilities today.
> >
> > Thomas Schreiber
>
> ____________________________________________________________
>
> > SecureNet GmbH - http://www.securenet.de
> > +49 89/32133-610
> > mailto:ts (at) securenet (dot) de [email concealed]
>
> __________________________________
> Do you Yahoo!?
> The all-new My Yahoo! - Get yours free!
> http://my.yahoo.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Hash: SHA1
On Monday 20 December 2004 12:17 pm, Elihu Smails wrote:
> I agree with the comments that there is a problem on
> the development end that session management is
> lacking. I am a developer, I can say this.:)
> Sessions should track the remote IP address of the
> client at a minimum, so that this problem could go
> away. Many programs that I have written have custom
> session management that track not only client IP, but
> browser, any certificate info and username. I will
> agree that any of this inforamtion is
> obtainable/spoofable, it is not in the context of most
> web application security issues such as Session
> Riding.
Much discussion has been given in this list about tracking a client IP as a
method of verifying credentials. It has been determined by the list that
this is generally a poor practice, often used to cover up other real
application vulnerabilities. The problem with it is that some services such
as AOL, use multiple proxy servers for their clients, causing a single
client's session to span multiple IP's, and it cannot be conclusively
determined that these IP's are even in the same subnets all the time. It
also does not cover anyone who is on a network that uses NAT as multiple
persons will have the same IP address (especially a corporate network).
Search the archives, and use more appropriate session management techniques.
>
> --- Thomas Schreiber <ts (at) securenet (dot) de [email concealed]> wrote:
> > Hello,
> >
> > I would like to point you to a whitepaper just
> > released:
> >
> > SESSION RIDING - A Widespread Vulnerability in
> > Today's Web Applications
> > http://www.securenet.de/papers/Session_Riding.pdf
> >
> > ----------
> > Abstract:
> >
> > In this paper we describe an issue that was raised
> > in 2001 under the name of Cross-Site Request
> > Forgeries (CSRF). It seems, though, that it has been
> > neglected by the community, as it is not part of
> > recent Web Application Security discussions, nor is
> > it mentioned in OWASP's Top Ten or the like. After
> > having frequently observed this vulnerability in our
> > Web Application Security assessments of custom Web
> > applications, we started to examine various public
> > Web applications and other browser-based
> > applications:
> >
> > ? popular (commercial) Web sites
> > ? popular browser-based console applications such as
> > administration tools for databases, servers, etc.
> > ? browser-based administration clients of hardware
> > devices
> > ? webmail sites and open source and commercial
> > webmail solutions
> >
> > We have found out that this vulnerability is present
> > in many of those sites, services and products, some
> > of which perform sensitive tasks. Actually, the list
> > of affected companies contains well-known big
> > players. Our analysis has led us to the conclusion
> > that this vulnerability is the most widespread one
> > in today's Web applications right after Cross-Site
> > Scripting (XSS). Even worse, in some scenarios it
> > has to be considered much more dangerous than XSS.
> >
> > We feel that a concise description of this issue is
> > necessary, along with a description of scenarios
> > that highlight the danger to all browser-based
> > applications that do not provide appropriate
> > countermeasures, be it Intranet, Internet or console
> > applications. In this paper, we explain this
> > vulnerability in depth, show that it may be used
> > unnoticed by the victim, describe potential threats,
> > and finally give hints on how to make Web
> > applications safe from such attacks.
> >
> > We prefer to call this issue Session Riding which
> > more figuratively illustrates what is going on.
> > ----------
> >
> > Feedback is very welcome - especially regarding our
> > rating/experience as one of the most widespread
> > vulnerabilities today.
> >
> > Thomas Schreiber
>
> ____________________________________________________________
>
> > SecureNet GmbH - http://www.securenet.de
> > +49 89/32133-610
> > mailto:ts (at) securenet (dot) de [email concealed]
>
> __________________________________
> Do you Yahoo!?
> The all-new My Yahoo! - Get yours free!
> http://my.yahoo.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFByCcvmXZROF+EADURAkY+AJwP1wMRKmvvkB7PY0FjEBtIYjqEGwCeKu4l
hDEATTFZh60T/Oq59N+KfFc=
=j7Ll
-----END PGP SIGNATURE-----
[ reply ]