[OWASP-Delhi] OWASP-Delhi Digest, - How can we mitigate session hijacking if the application is on HTTP and MITM is there

Amit Saini call4amit at gmail.com
Tue Jul 7 16:26:44 UTC 2015


Thanks Reuben for the reply.

The application allows multiple concurrent sessions.....Bad luck though :(

I tried hard but I found that its almost impossible to to mitigate session
hijacking if MITM is done.

Thanks again...

Regards
Amit Saini




On Tue, Jul 7, 2015 at 9:29 PM, reuben kurien <reubengkurien at gmail.com>
wrote:

> Hi Amit,
>
> Just a suggestion. Would it be possible to restrict the use of concurrent
> sessions in your instance? Implementing such checks may help prevent
> multiple application connections  purportedly originating from the same
> user identity.
>
> Regards,
> Reuben
> Hi Friends,
>
> How can we mitigate/stop session hijacking if the application is on HTTP
> and MITM is already there?
>
> Regards
> Amit Saini
>
>
>
>
> On Mon, Jul 6, 2015 at 5:30 PM, <owasp-delhi-request at lists.owasp.org>
> wrote:
>
>> Send OWASP-Delhi mailing list submissions to
>>         owasp-delhi at lists.owasp.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> or, via email, send a message with subject or body 'help' to
>>         owasp-delhi-request at lists.owasp.org
>>
>> You can reach the person managing the list at
>>         owasp-delhi-owner at lists.owasp.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of OWASP-Delhi digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: How to implement ASLR & DEP in C# thick client
>>       applications? (Dhruv Soi)
>>    2. Re: How to implement ASLR & DEP in C# thick client
>>       applications? (sanjay kumar)
>>    3. Re: How to implement ASLR & DEP in C# thick client
>>       applications? (Dhruv Soi)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sun, 5 Jul 2015 16:00:02 +0400
>> From: Dhruv Soi <dhruv.soi at owasp.org>
>> To: sanjay kumar <sanjay1519841 at gmail.com>
>> Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
>> Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
>>         client  applications?
>> Message-ID:
>>         <CA+Rr0=
>> 6x1t9BXZmVCM1842ORwAt0ebxKpOg2XhE3UajC2P1EBg at mail.gmail.com>
>> Content-Type: text/plain; charset=UTF-8
>>
>> http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
>>
>> http://www.lmgtfy.com/?q=aslr+c%23
>>
>> On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com>
>> wrote:
>> > Hi,
>> >
>> > Does anyone knows how to implement ASLR (Address Space Layout
>> > Randomization), DEP (Data Execution Prevention) in thick client
>> application
>> > based on C#?
>> >
>> > If it cannot be implement then what is the risk in applications which
>> > developed in C#?
>> >
>> > Regards,
>> >
>> > Sanjay Kumar
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Delhi mailing list
>> > OWASP-Delhi at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> > Twitter: https://twitter.com/OWASPdelhi
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 6 Jul 2015 12:05:41 +0530
>> From: sanjay kumar <sanjay1519841 at gmail.com>
>> To: Dhruv Soi <dhruv.soi at owasp.org>
>> Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
>> Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
>>         client  applications?
>> Message-ID:
>>         <CAPHKmPMkf51EEqDY8KOjHn70AdPjcdQa=
>> 7HT3A5Qp8TxB_qZHg at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Thanks Dhruv,
>>
>> But the question is for c#, I dint find such specific result for tht.
>>
>> On Sunday, July 5, 2015, Dhruv Soi <dhruv.soi at owasp.org> wrote:
>>
>> > http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
>> >
>> > http://www.lmgtfy.com/?q=aslr+c%23
>> >
>> > On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com
>> > <javascript:;>> wrote:
>> > > Hi,
>> > >
>> > > Does anyone knows how to implement ASLR (Address Space Layout
>> > > Randomization), DEP (Data Execution Prevention) in thick client
>> > application
>> > > based on C#?
>> > >
>> > > If it cannot be implement then what is the risk in applications which
>> > > developed in C#?
>> > >
>> > > Regards,
>> > >
>> > > Sanjay Kumar
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > OWASP-Delhi mailing list
>> > > OWASP-Delhi at lists.owasp.org <javascript:;>
>> > > https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> > > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> > > Twitter: https://twitter.com/OWASPdelhi
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150706/09d325c4/attachment-0001.html
>> >
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 6 Jul 2015 12:04:03 +0400
>> From: Dhruv Soi <dhruv.soi at owasp.org>
>> To: sanjay kumar <sanjay1519841 at gmail.com>
>> Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
>> Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
>>         client  applications?
>> Message-ID:
>>         <CA+Rr0=67-k-=
>> oARQEO67OAG-Ekz0aFe6rOS9gcUrOFYkobrGyw at mail.gmail.com>
>> Content-Type: text/plain; charset=UTF-8
>>
>> Hope these helps.
>>
>>
>> https://msdn.microsoft.com/en-us/library/microsoft.visualstudio.vcprojectengine.vclinkertool.randomizedbaseaddress.aspx
>> https://msdn.microsoft.com/en-us/library/bb384887.aspx
>> https://msdn.microsoft.com/en-us/library/dn195771.aspx
>> https://msdn.microsoft.com/en-us/library/hh156527.aspx
>>
>> On Mon, Jul 6, 2015 at 10:35 AM, sanjay kumar <sanjay1519841 at gmail.com>
>> wrote:
>> > Thanks Dhruv,
>> >
>> > But the question is for c#, I dint find such specific result for tht.
>> >
>> >
>> > On Sunday, July 5, 2015, Dhruv Soi <dhruv.soi at owasp.org> wrote:
>> >>
>> >> http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
>> >>
>> >> http://www.lmgtfy.com/?q=aslr+c%23
>> >>
>> >> On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com
>> >
>> >> wrote:
>> >> > Hi,
>> >> >
>> >> > Does anyone knows how to implement ASLR (Address Space Layout
>> >> > Randomization), DEP (Data Execution Prevention) in thick client
>> >> > application
>> >> > based on C#?
>> >> >
>> >> > If it cannot be implement then what is the risk in applications which
>> >> > developed in C#?
>> >> >
>> >> > Regards,
>> >> >
>> >> > Sanjay Kumar
>> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > OWASP-Delhi mailing list
>> >> > OWASP-Delhi at lists.owasp.org
>> >> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> >> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> >> > Twitter: https://twitter.com/OWASPdelhi
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> OWASP-Delhi mailing list
>> OWASP-Delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>> End of OWASP-Delhi Digest, Vol 84, Issue 5
>> ******************************************
>>
>
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150707/b5149465/attachment-0001.html>


More information about the OWASP-Delhi mailing list