[Owasp-appsensor-project] Question about SE4: Substituting Another User's Valid Session ID or Cookie

Ryan Barnett ryan.barnett at owasp.org
Tue Aug 30 18:03:38 EDT 2011


This email is more about implementation of Detection Points as I am in the
process implementing AppSensor Detection Points in the OWASP ModSecurity
CRS.

I am currently looking at the Session Exception category and have a question
about SE4 -
https://www.owasp.org/index.php/AppSensor_DetectionPoints#SE4:_Substituting_
Another_User.27s_Valid_Session_ID_or_Cookie

SE4, SE5 and SE6 all seem to be related to Session Hijacking where an
attacker is able to somehow obtain an authenticated user's SessionID and
they then simultaneously log into the application.  At this point, Detection
Points SE5 and SE6 would most likely trigger as the Source IP/Range and the
User-Agent string values would most likely change.  Without correlating
SE5/SE6, how would you suggest SE4 be detected?  How would you know that the
SessionID/Cookie data is not correct for that user?  In ModSecurity CRS, we
use the SessionID as the key for persistent storage of data.  The Session
Hijacking rules grab the User-Agent and IP block hashes and save them in the
Session collection.  If there is ever a mismatch, they alerts for SE5 and
SE6 are triggered.

I am not sure how to trigger SE4 on its own.

Suggestions welcome.

-Ryan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20110830/46079ede/attachment.html 


More information about the Owasp-appsensor-project mailing list