Home > Hacking > Server Hacking



Hacking Web Applications Using Cookie Poisoning

Sort Desciption:

2002 Sanctum, Inc. www.SanctumInc.com 1 Hacking Web Applications Using Cookie Poisoning Amit Klein (amit ... What happens in a multi-server site if a client accesses a first server (and establishes a session ...



Content Inside:

2002 Sanctum, Inc. www.SanctumInc.com 1 Hacking Web Applications Using Cookie Poisoning Amit Klein (amit.klein@sanctuminc.com) is security group manager for Sanctum, Inc. Summary Cookie poisoning is a known technique mainly for achieving impersonation and breach of privacy through manipulation of session cookies, which maintain the identity of the client. By forging these cookies, an attacker can impersonate a valid client, and thus gain information and perform actions on behalf of the victim. The ability to forge such session cookies (or more generally, session tokens) stems from the fact that the tokens are not generated in a secure way. In this paper, we explain why session management (and session management security) is a complex task (which is why it is usually left for commercial products). We describe how the tokens are generated for two commercial application engines. We then analyze the strength of each mechanism, explain its weakness, and demonstrate how such weakness can be exploited to execute an impersonation/privacy breach attack. We discuss the feasibility of the attack. Finally, we recommend an approach to session management which separates the security from the functionality - the latter is carried out by application engines, while the former should be provided by a dedicated application security product. The Sysiphian in-house session maintenance In web application programming, Session Management is complex and awkward. The programmer needs to worry about many aspects of session management which can defocus him/her from the main goal - implementing the business logic that makes the site unique and profitable. Specific issues are: • Session creation and identification - how to ensure that when a new session is needed, it is indeed created? The programmer must identify that a client has a need for a session, create the session and assign the client a session. • Concurrency issues - when two ...

Source: www.cgisecurity.com


add to Google Reader add to Google Bookmark add to bloglines add to newsgator add to FURL add to digg add to webnews add to Netscape add to Yahoo MyWeb add to spurl.net add to diigo Bookmark newsvine Bookmark del.icio.us Bookmark @ SIMPIFY Bookmark MISTER WONG Bookmark Linkarena Bookmark icio.de Bookmark oneview Bookmark folkd.com Bookmark yigg.de Bookmark reddit Bookmark StumbleUpon Bookmark Slashdot Bookmark blinklist Bookmark technorati add to blogmarks add to blinkbits add to ma.gnolia add to smarking.com add to netvouz add to co.mments add to Connotea add to de.lirio.us

 

Related Files

Vlandriks Ultimate Guide - Hacking Source Forum

Filed under: Hacking and Server Hacking
Sideshow ( Log Out ) Options Aug 13 2006, 08:54 PM My Controls · View New Posts · My Assistant Hacking Source Forum » World of Warcraft » World of Warcraft Server Emulation Vlandriks Ultimate Guide ...

Hacking Techniques

Filed under: Hacking and Server Hacking
Hacking Techniques. Network based System Hacking. Web Server Hacking. Physically enter the Target Building. WLAN (Wireless LAN) Hacking ...

Web Hacking

Filed under: Hacking and Server Hacking
This labs focus will in be web server hacking. Web server hacking refers to attackers. taking advantage of vulnerabilities inherent to the web server ...

Hacking SQL Server

Filed under: Hacking and Server Hacking
Hacking / Hacking Exposed Windows Server 2003: Windows Security Secrets & Solutions / Scambray ...... some of the tools of the trade in SQL Server hacking. ...

Real Time Hacking : ISA Server

Filed under: Hacking and Server Hacking
This case study is entirely based on my hacking experiences with Microsoft ISA Servers.It gives you. people with the way to get related to the ISA server ...