[Esapi-user] SideJacking Question

Chris Schmidt chris.schmidt at owasp.org
Wed May 25 12:09:47 EDT 2011


Additionally, as a best practice - you can easily ensure that 
authenticated Ajax requests (and non-Ajax for that matter) remain secure 
requests by using relative urls. As long as your server is ensuring that 
any authenticated request is made over SSL (your method referenced 
below) then you are good to go.

On 5/25/2011 10:06 AM, Jim Manico wrote:
> I recommend keeping your session ID in cookies that are both HTTPOnly (no JavaScript access) and SECURE (HTTPS) cookies. Also, you should leverage your platforms session management mechanism and try to avoid writing your own session management mechanism if you can.
>
> An AJAX request is no different that other requests. Just make sure sensitive data is part of a SSL POST payload instead of in GET parameters.
>
> :)
>
> Jim Manico
>
> On May 25, 2011, at 5:47 PM, "Lukas, Ray"<Ray.Lukas at supermedia.com>  wrote:
>
>> I am new, very new, so...
>> Sidejacking, roughly defined as stealing someone's authenticated session object, thereby stealing their identity.
>> Solution is to never send the Session through anything that is not an SSL channel. In ESAPI, if I have this right, you say ESAPI.httpUtilities().assertSecureChannel();
>> Now (at last) The Question:
>> Sessions can also be transmitted by Ajax requests, right, so... Does this help me with that as well..?
>>
>> Thanks guys.. I am still reading and learning.. but you got my attention at least..
>>
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user



More information about the Esapi-user mailing list