[Owasp-delhi] Clarifications

sushil nehra sushil.nehra at gmail.com
Wed Dec 9 13:14:17 EST 2009


I agree with Suman. Session fixation seems to be quite difficult but for an
experienced hacker it is quite easy to demonstrate.

For hijacking any application information about the Session ID of the
present session is required and during the hijacking process and
exploitation it is assumed the victims session remains valid.

Three steps are involved:
Step 1: Prospective Victim login in the application say ERP

Just as simple that victim use any type of Authentication mechanism say
password or digital certificate or real time token. Once the user login is
successful then this information about the valid session is stored in the

Step 2: Attacker gets the valid SessionID
If the attacker by any means get the (say 40 byte) of session ID; he can do
this by sniffing if victim and attacker are on same network. If they are in
different places in internet then other vulnerabilities like XSS or others
are required.

Step 3: Attacker uses the stolen SessionID.
Attacker tries to access the page that can be accessed only after login. But
during this process the replaces his own session ID with the Stolen
SessionID. This way he is granted access in the Application and can make any

For mitigation
One of many of the mechanisms can be used:
1. Every pages visited after login on server throws a random token( random
number) embeded in the page. And the next request from client/browser should
contain that random number along with session ID else the application logoff
the user.
(This is done during the development of application)

2. Use https with valid certificate, with the application so that sniffing
and man in the middle to dont get the sessionID.
(Webserver - to avoid stealing of sessionID)

3. Application should be free from XSS and related vulnerabilities.
( Application -to avoid stealing of sessionID)

4. Assuming that passwords are sent in encrypted format with challenge
( application)

5. Even if the attacker gets the sessionID he will not be use it if random
tokens are used in designing the application (see point 1 above)

Note: The Screen Saver does not protect the valid session from hijacking as
the attacker is not going to use your PC for attack. He only need sometime
to hijack and wants a fair amount of time to do his tricks. So always logoff
the critical application like financial ones once u use it and do not open
another mail or non trusted site in other browser tab.

Best practice: Use one type of browser (eg firefox) for financial appliation
like banking etc and never use it for other surfing and use other browser(
say IE) for general surfing.


Sushil Kumar Nehra
98710 62353

"When the wind of change blows, some people build walls and  few build
Windmills - Attitude matters .. always"

On Tue, Dec 8, 2009 at 5:14 PM, Suman Sourav
<suman.sourav at sellasynergy.com>wrote:

>  Hi Bhupendra,
> If application is vulnerable to session fixation then exploitation is
> possible in your given scenario; though it is tough but it’s possible.
> Please visit http://www.owasp.org/index.php/Session_Fixation for more
> details about this vulnerability and protection against it. Check first
> whether your application is vulnerable or not.
> Regards
> * *
> *Suman *
> *Senior Associate-Application Security*
>   ------------------------------
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Kumar, Bhupendra.
> *Sent:* Tuesday, December 08, 2009 4:39 PM
> *To:* 'owasp-delhi at lists.owasp.org'
> *Subject:* [Owasp-delhi] Clarifications
> Hi All,
> Can any one plz explain the threats present in a specific scenario as
> explained below:
> User has logged-on in certain ERP application to carry out some
> transactions. ERP application has been configured for Automatic logoff after
> prolong idle time of 2 hrs. However desktop is set to get locked after idle
> time of 5 minutes.
> After idle time of 5 minutes when desktop is locked, Can anyone from remote
> misuse/hacked the logged ERP application / session and carry out
> unauthorised activities.  If Yes, How ? and What are ways to protect from
> such a scenario.
> Thanks all your support and coordination.
> Warm Regards,
> Bhupendra Kumar
>  Tel.: +91-124-2349456
> This Message was sent from Indian Oil Messaging Gateway, New Delhi, India. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
> Le e-mail provenienti dalla * Sella Synergy India Private Ltd * sono
> trasmesse in buona fede e non comportano alcun vincolo ne' creano obblighi
> per la * Sella Synergy India Private Ltd * stessa, salvo che cio' non sia
> espressamente previsto da un precedente accordo.
> Questa e-mail e' confidenziale. Qualora l'avesse ricevuta per errore, La
> preghiamo di comunicarne via e-mail la ricezione al mittente e di
> distruggerne il contenuto. La informiamo inoltre che l'utilizzo non
> autorizzato del messaggio o dei suoi allegati potrebbe costituire reato.
> Grazie per la collaborazione.
> E-mails from* Sella Synergy India Ltd Private * are sent in good faith but
> they are neither binding on the * Sella Synergy India Private Ltd * nor to
> be understood as creating any obligation on its part except where provided
> for an agreement.
> This e-mail is confidential. If you have received it by mistake, please
> inform the sender by reply e-mail and delete it from your system. Please
> also note that the unauthorized disclosure or use of the message or any
> attachments could be an offence.
> Thank you for your cooperation.
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20091209/594dca42/attachment.html 

More information about the Owasp-delhi mailing list