[Owasp-delhi] Clarifications

Suman Sourav suman.sourav at sellasynergy.com
Tue Dec 8 06:44:23 EST 2009


Hi Bhupendra,

If application is vulnerable to session fixation then exploitation is possible in your given scenario; though it is tough but it's possible. Please visit http://www.owasp.org/index.php/Session_Fixation for more details about this vulnerability and protection against it. Check first whether your application is vulnerable or not.

Regards

Suman
Senior Associate-Application Security
________________________________
From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Kumar, Bhupendra.
Sent: Tuesday, December 08, 2009 4:39 PM
To: 'owasp-delhi at lists.owasp.org'
Subject: [Owasp-delhi] Clarifications


Hi All,

Can any one plz explain the threats present in a specific scenario as explained below:

User has logged-on in certain ERP application to carry out some transactions. ERP application has been configured for Automatic logoff after prolong idle time of 2 hrs. However desktop is set to get locked after idle time of 5 minutes.
After idle time of 5 minutes when desktop is locked, Can anyone from remote misuse/hacked the logged ERP application / session and carry out unauthorised activities.  If Yes, How ? and What are ways to protect from such a scenario.

Thanks all your support and coordination.

Warm Regards,

Bhupendra Kumar
 Tel.: +91-124-2349456



This Message was sent from Indian Oil Messaging Gateway, New Delhi, India. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.



Le e-mail provenienti dalla Sella Synergy India Private Ltd sono trasmesse in buona fede e non comportano alcun vincolo ne' creano obblighi per la Sella Synergy India Private Ltd  stessa, salvo che cio' non sia espressamente previsto da un precedente accordo.
Questa e-mail e' confidenziale. Qualora l'avesse ricevuta per errore, La preghiamo di comunicarne via e-mail la ricezione al mittente e di distruggerne il contenuto. La informiamo inoltre che l'utilizzo non autorizzato del messaggio o dei suoi allegati potrebbe costituire reato.
Grazie per la collaborazione.

E-mails from Sella Synergy India Private Ltd are sent in good faith but they are neither binding on the Sella Synergy India Private Ltd nor to be understood as creating any obligation on its part except where provided for an agreement. This e-mail is confidential. If you have received it by mistake, please inform the sender by reply e-mail and delete it from your system. Please also note that the unauthorized disclosure or use of the message or any attachments could be an offence.
Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20091208/29a99861/attachment-0001.html 


More information about the Owasp-delhi mailing list