[OWASP-Delhi] OWASP-Delhi Digest, - How can we mitigate session hijacking if the application is on HTTP and MITM is there

Vinil Menon vinilm at yahoo.com
Tue Jul 7 17:21:55 UTC 2015


You'd need to clarify a few things. With quite a few assumptions, here are a couple of options I can provide. 
If you've development bandwidth available, start encrypting end to end (assuming SSL is not an option). 
If as a user you are asking what can be done to mitigate such a threat, then the short answer is to setup a tunnel closer to the server, away from the MITM (assuming the MITM is not on the server) and then connect to the tunnel. The MITM will get encrypted content and won't know where the tunnel terminates. Alternatively, setup an instance on a public cloud and RDP/ssh into the instance and connect to the server from that instance. 
Thanks,Vinil
      From: Amit Saini <call4amit at gmail.com>
 To: reuben kurien <reubengkurien at gmail.com> 
Cc: owasp-delhi at lists.owasp.org 
 Sent: Tuesday, July 7, 2015 9:56 PM
 Subject: Re: [OWASP-Delhi] OWASP-Delhi Digest, - How can we mitigate session hijacking if the application is on HTTP and MITM is there
   
Thanks Reuben for the reply.
 
The application allows multiple concurrent sessions.....Bad luck though :(

I tried hard but I found that its almost impossible to to mitigate session hijacking if MITM is done.

Thanks again...

Regards
Amit Saini






On Tue, Jul 7, 2015 at 9:29 PM, reuben kurien <reubengkurien at gmail.com> wrote:

Hi Amit,Just a suggestion. Would it be possible to restrict the use of concurrent sessions in your instance? Implementing such checks may help prevent multiple application connections  purportedly originating from the same user identity.Regards,
ReubenHi Friends,

How can we mitigate/stop session hijacking if the application is on HTTP and MITM is already there?

Regards
Amit Saini




On Mon, Jul 6, 2015 at 5:30 PM, <owasp-delhi-request at lists.owasp.org> wrote:

Send OWASP-Delhi mailing list submissions to
        owasp-delhi at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.owasp.org/mailman/listinfo/owasp-delhi
or, via email, send a message with subject or body 'help' to
        owasp-delhi-request at lists.owasp.org

You can reach the person managing the list at
        owasp-delhi-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OWASP-Delhi digest..."


Today's Topics:

   1. Re: How to implement ASLR & DEP in C# thick client
      applications? (Dhruv Soi)
   2. Re: How to implement ASLR & DEP in C# thick client
      applications? (sanjay kumar)
   3. Re: How to implement ASLR & DEP in C# thick client
      applications? (Dhruv Soi)


----------------------------------------------------------------------

Message: 1
Date: Sun, 5 Jul 2015 16:00:02 +0400
From: Dhruv Soi <dhruv.soi at owasp.org>
To: sanjay kumar <sanjay1519841 at gmail.com>
Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
        client  applications?
Message-ID:
        <CA+Rr0=6x1t9BXZmVCM1842ORwAt0ebxKpOg2XhE3UajC2P1EBg at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications

http://www.lmgtfy.com/?q=aslr+c%23

On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com> wrote:
> Hi,
>
> Does anyone knows how to implement ASLR (Address Space Layout
> Randomization), DEP (Data Execution Prevention) in thick client application
> based on C#?
>
> If it cannot be implement then what is the risk in applications which
> developed in C#?
>
> Regards,
>
> Sanjay Kumar
>
>
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi


------------------------------

Message: 2
Date: Mon, 6 Jul 2015 12:05:41 +0530
From: sanjay kumar <sanjay1519841 at gmail.com>
To: Dhruv Soi <dhruv.soi at owasp.org>
Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
        client  applications?
Message-ID:
        <CAPHKmPMkf51EEqDY8KOjHn70AdPjcdQa=7HT3A5Qp8TxB_qZHg at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Thanks Dhruv,

But the question is for c#, I dint find such specific result for tht.

On Sunday, July 5, 2015, Dhruv Soi <dhruv.soi at owasp.org> wrote:

> http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
>
> http://www.lmgtfy.com/?q=aslr+c%23
>
> On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com
> <javascript:;>> wrote:
> > Hi,
> >
> > Does anyone knows how to implement ASLR (Address Space Layout
> > Randomization), DEP (Data Execution Prevention) in thick client
> application
> > based on C#?
> >
> > If it cannot be implement then what is the risk in applications which
> > developed in C#?
> >
> > Regards,
> >
> > Sanjay Kumar
> >
> >
> >
> > _______________________________________________
> > OWASP-Delhi mailing list
> > OWASP-Delhi at lists.owasp.org <javascript:;>
> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> > Twitter: https://twitter.com/OWASPdelhi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150706/09d325c4/attachment-0001.html>

------------------------------

Message: 3
Date: Mon, 6 Jul 2015 12:04:03 +0400
From: Dhruv Soi <dhruv.soi at owasp.org>
To: sanjay kumar <sanjay1519841 at gmail.com>
Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
        client  applications?
Message-ID:
        <CA+Rr0=67-k-=oARQEO67OAG-Ekz0aFe6rOS9gcUrOFYkobrGyw at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Hope these helps.

https://msdn.microsoft.com/en-us/library/microsoft.visualstudio.vcprojectengine.vclinkertool.randomizedbaseaddress.aspx
https://msdn.microsoft.com/en-us/library/bb384887.aspx
https://msdn.microsoft.com/en-us/library/dn195771.aspx
https://msdn.microsoft.com/en-us/library/hh156527.aspx

On Mon, Jul 6, 2015 at 10:35 AM, sanjay kumar <sanjay1519841 at gmail.com> wrote:
> Thanks Dhruv,
>
> But the question is for c#, I dint find such specific result for tht.
>
>
> On Sunday, July 5, 2015, Dhruv Soi <dhruv.soi at owasp.org> wrote:
>>
>> http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
>>
>> http://www.lmgtfy.com/?q=aslr+c%23
>>
>> On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519841 at gmail.com>
>> wrote:
>> > Hi,
>> >
>> > Does anyone knows how to implement ASLR (Address Space Layout
>> > Randomization), DEP (Data Execution Prevention) in thick client
>> > application
>> > based on C#?
>> >
>> > If it cannot be implement then what is the risk in applications which
>> > developed in C#?
>> >
>> > Regards,
>> >
>> > Sanjay Kumar
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Delhi mailing list
>> > OWASP-Delhi at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> > Twitter: https://twitter.com/OWASPdelhi


------------------------------

_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi


End of OWASP-Delhi Digest, Vol 84, Issue 5
******************************************



_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi



_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150707/d9644717/attachment-0001.html>


More information about the OWASP-Delhi mailing list