[OWASP-Delhi] OWASP-Delhi Digest, - How can we mitigate session hijacking if the application is on HTTP and MITM is there

reuben kurien reubengkurien at gmail.com
Tue Jul 7 15:59:15 UTC 2015


Hi Amit,

Just a suggestion. Would it be possible to restrict the use of concurrent
sessions in your instance? Implementing such checks may help prevent
multiple application connections  purportedly originating from the same
user identity.

Regards,
Reuben
Hi Friends,

How can we mitigate/stop session hijacking if the application is on HTTP
and MITM is already there?

Regards
Amit Saini




On Mon, Jul 6, 2015 at 5:30 PM, <owasp-delhi-request at lists.owasp.org> wrote:

> Send OWASP-Delhi mailing list submissions to
>         owasp-delhi at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.owasp.org/mailman/listinfo/owasp-delhi
> or, via email, send a message with subject or body 'help' to
>         owasp-delhi-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-delhi-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OWASP-Delhi digest..."
>
>
> Today's Topics:
>
>    1. Re: How to implement ASLR & DEP in C# thick client
>       applications? (Dhruv Soi)
>    2. Re: How to implement ASLR & DEP in C# thick client
>       applications? (sanjay kumar)
>    3. Re: How to implement ASLR & DEP in C# thick client
>       applications? (Dhruv Soi)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 5 Jul 2015 16:00:02 +0400
> From: Dhruv Soi <dhruv.soi at owasp.org>
> To: sanjay kumar <sanjay1519841 at gmail.com>
> Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
> Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
>         client  applications?
> Message-ID:
>         <CA+Rr0=
> 6x1t9BXZmVCM1842ORwAt0ebxKpOg2XhE3UajC2P1EBg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
>
> http://www.lmgtfy.com/?q=aslr+c%23
>
> On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com>
> wrote:
> > Hi,
> >
> > Does anyone knows how to implement ASLR (Address Space Layout
> > Randomization), DEP (Data Execution Prevention) in thick client
> application
> > based on C#?
> >
> > If it cannot be implement then what is the risk in applications which
> > developed in C#?
> >
> > Regards,
> >
> > Sanjay Kumar
> >
> >
> >
> > _______________________________________________
> > OWASP-Delhi mailing list
> > OWASP-Delhi at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> > Twitter: https://twitter.com/OWASPdelhi
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 6 Jul 2015 12:05:41 +0530
> From: sanjay kumar <sanjay1519841 at gmail.com>
> To: Dhruv Soi <dhruv.soi at owasp.org>
> Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
> Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
>         client  applications?
> Message-ID:
>         <CAPHKmPMkf51EEqDY8KOjHn70AdPjcdQa=
> 7HT3A5Qp8TxB_qZHg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Thanks Dhruv,
>
> But the question is for c#, I dint find such specific result for tht.
>
> On Sunday, July 5, 2015, Dhruv Soi <dhruv.soi at owasp.org> wrote:
>
> > http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
> >
> > http://www.lmgtfy.com/?q=aslr+c%23
> >
> > On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com
> > <javascript:;>> wrote:
> > > Hi,
> > >
> > > Does anyone knows how to implement ASLR (Address Space Layout
> > > Randomization), DEP (Data Execution Prevention) in thick client
> > application
> > > based on C#?
> > >
> > > If it cannot be implement then what is the risk in applications which
> > > developed in C#?
> > >
> > > Regards,
> > >
> > > Sanjay Kumar
> > >
> > >
> > >
> > > _______________________________________________
> > > OWASP-Delhi mailing list
> > > OWASP-Delhi at lists.owasp.org <javascript:;>
> > > https://lists.owasp.org/mailman/listinfo/owasp-delhi
> > > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> > > Twitter: https://twitter.com/OWASPdelhi
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150706/09d325c4/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Mon, 6 Jul 2015 12:04:03 +0400
> From: Dhruv Soi <dhruv.soi at owasp.org>
> To: sanjay kumar <sanjay1519841 at gmail.com>
> Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
> Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
>         client  applications?
> Message-ID:
>         <CA+Rr0=67-k-=
> oARQEO67OAG-Ekz0aFe6rOS9gcUrOFYkobrGyw at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hope these helps.
>
>
> https://msdn.microsoft.com/en-us/library/microsoft.visualstudio.vcprojectengine.vclinkertool.randomizedbaseaddress.aspx
> https://msdn.microsoft.com/en-us/library/bb384887.aspx
> https://msdn.microsoft.com/en-us/library/dn195771.aspx
> https://msdn.microsoft.com/en-us/library/hh156527.aspx
>
> On Mon, Jul 6, 2015 at 10:35 AM, sanjay kumar <sanjay1519841 at gmail.com>
> wrote:
> > Thanks Dhruv,
> >
> > But the question is for c#, I dint find such specific result for tht.
> >
> >
> > On Sunday, July 5, 2015, Dhruv Soi <dhruv.soi at owasp.org> wrote:
> >>
> >> http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
> >>
> >> http://www.lmgtfy.com/?q=aslr+c%23
> >>
> >> On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com>
> >> wrote:
> >> > Hi,
> >> >
> >> > Does anyone knows how to implement ASLR (Address Space Layout
> >> > Randomization), DEP (Data Execution Prevention) in thick client
> >> > application
> >> > based on C#?
> >> >
> >> > If it cannot be implement then what is the risk in applications which
> >> > developed in C#?
> >> >
> >> > Regards,
> >> >
> >> > Sanjay Kumar
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > OWASP-Delhi mailing list
> >> > OWASP-Delhi at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
> >> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> >> > Twitter: https://twitter.com/OWASPdelhi
>
>
> ------------------------------
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
> End of OWASP-Delhi Digest, Vol 84, Issue 5
> ******************************************
>


_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150707/e72e6719/attachment.html>


More information about the OWASP-Delhi mailing list