Professional Documents
Culture Documents
Session Management Attacks: Personal Property of Keith Samborski
Session Management Attacks: Personal Property of Keith Samborski
o m
c ith Sam o r s ki
d e m
Experty of Koo.com
e
b
Session
e r soManagement
n a l pro 69@yah
l_ m y
Attacks
P Session Hijacking
Copyright © Exdemy.com
Session Hijacking
● Research about Session Hijacking prevention methods in Web Applications
●
c o mSambo rski Hijacking?
What kind of policy can be used to protect users against Session
y .
Ex d e mof Ke
ith
ro p e rty hoo.com
r so n al p my69@ya
Pe l_
Copyright © Exdemy.com
Session Hijacking - Solution
● A good countermeasure is destroying the session after a certain amount of
c o m
time (for example an hour) or renewing it after validating the rclient
y . o ski browser
●
Ex d e m
Also, traffic must be encrypted using SSL/TLS
o f Ke to
i th S
protect
b
amagainst
eavesdropping p e rty .com
ro
al p my69@ya h o o
r so n
● Pe be encrypted
The session itself must l_ and securely randomized. I.e. don’t
make these mistakes:
○ SESSID={“user”: “manager”} , SESSID={“user”: “john”}
○ SESSID=sess2564 , SESSID=sess2565
○ SESSID=rand()
● Also in the session validation phase, ensure the requests using a session are
from the same client who initially established the session
Copyright © Exdemy.com
y . o m
c ith Sam o r s ki
d e m
Experty of Koo.com
e
b
n a l pro 69@yah
Perso l_my
Copyright © Exdemy.com