[Owasp-gibraltar] Owasp-gibraltar Digest, Vol 4, Issue 1

Piotr Tomaszewski piotr.tomaszewski at intelligentpayments.co.uk
Tue Aug 6 07:22:02 UTC 2013

Hi Daniele,

thanks for that. If you don't mind more details:
- we do use it to hold authenticated session
- SSL is in place
- it's an iframe, so I believe history does not track it, nor does the URL
ever appear in the address bar

After more considerations, we noticed that the problem might be the REFERER
header sent with every external link from the iframe. The links are
necessary to navigate to 3rd parties. So we decided to:
- add an extra redirection to stripping the referer off; or
- use one-time-use tokens with every single request and a single entry
point where the session is initiated



On Mon, Aug 5, 2013 at 12:30 PM, Daniele Costa <daniele at iteam5.net> wrote:

> Hi Piotr,
> from a security point of view the problem of using session id in URL is
> that these values are normally stored in the browser history, web servers
> logs and intermediate proxies (when no HTTPS is in place).
> If the session ID are used to identify users (e.g. to maintain an
> authenticated session) then using them as one of the URL parameters is not
> recommended.
> However if these are not including data to identify users and are just
> necessary to track the payment frame then I don't see a problem using them
> within a URL rather than a cookie.
> However you should thoroughly test the process generating the session ID
> values to ensure that this cannot be manipulated by malicious attackers.
> In regards to your other question about activities in summer...maybe we
> could organize a new meeting in September?
> Tanya is the best person to answer this question though :-)
> Kind Regards,
> Daniele Costa
> On Sun, Aug 4, 2013 at 1:00 PM, <owasp-gibraltar-request at lists.owasp.org>wrote:
>> Send Owasp-gibraltar mailing list submissions to
>>         owasp-gibraltar at lists.owasp.org
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.owasp.org/mailman/listinfo/owasp-gibraltar
>> or, via email, send a message with subject or body 'help' to
>>         owasp-gibraltar-request at lists.owasp.org
>> You can reach the person managing the list at
>>         owasp-gibraltar-owner at lists.owasp.org
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Owasp-gibraltar digest..."
>> Today's Topics:
>>    1. Re: Next Chapter Meeting - June/July? (Piotr Tomaszewski)
>> ----------------------------------------------------------------------
>> Message: 1
>> Date: Fri, 2 Aug 2013 11:16:28 +0200
>> From: Piotr Tomaszewski <piotr.tomaszewski at intelligentpayments.co.uk>
>> To: owasp-gibraltar at lists.owasp.org
>> Cc: Marcin Zduniak <marcin.zduniak at intelligentpayments.co.uk>
>> Subject: Re: [Owasp-gibraltar] Next Chapter Meeting - June/July?
>> Message-ID:
>>         <
>> CACUt7-EBV+7MsydTr6ieQ3rbzr9JyrjPLwKkG4MKXhK7fOPWkA at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>> Dear All,
>> just wondering - is there any activity planned for the summer? Anyway,
>> there's one question I would like to raise, maybe you guys have already
>> faced the problem before:
>> With the advent of Safari and (soon) Firefox blocking of third-parties
>> cookies, we had a lot of complaints about the sessions being lost. We do
>> appear to be a third-party, as our web cashier is usually embedded in a
>> HTML frame, and for some of the merchants asking a user to fiddle with
>> browser settings is unacceptable. There are strong reasons to keep it this
>> way, so we decided to reach for the almost-obsolete URL tokens to maintain
>> sessions. Although we are quite sure it is not all that very different
>> from
>> cookie-based sessions, I would really appreciate any insights on this you
>> might have.
>> The OWASP site says: *"Effectively, the web application can use both
>> mechanisms, cookies or URL parameters, or even switch from one to the
>> other
>> (automatic URL rewriting) if certain conditions are met (for example, the
>> existence of web clients without cookies support or when cookies are not
>> accepted due to user privacy concerns)."*
>> *
>> https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Built-in_Session_Management_Implementations
>> *
>> *
>> *
>> Best regards,
>> Piotr
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.owasp.org/pipermail/owasp-gibraltar/attachments/20130802/10f8bc2c/attachment-0001.html
>> >
>> ------------------------------
>> _______________________________________________
>> Owasp-gibraltar mailing list
>> Owasp-gibraltar at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-gibraltar
>> End of Owasp-gibraltar Digest, Vol 4, Issue 1
>> *********************************************
> _______________________________________________
> Owasp-gibraltar mailing list
> Owasp-gibraltar at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-gibraltar


*Piotr Tomaszewski
*Senior Flex Developer

PO Box 1251, Elmslie House, 51/53 Irish Town, Gibraltar
T:* **+350 2000 6635*

@: piotr.tomaszewski at intelligentpayments.co.uk<david.gill at intelligentpayments.co.uk>

W: www.intelligentpayments.co.uk**

W: www.myriadpayments.com**

W: www.matrixpayments.com**

This communication and the information it contains :-
a) Is intended for the person(s) or organisation(s) named above. Access to
this mail by anyone else is unauthorised.
b) Is confidential and may be legally privileged or otherwise protected in
law. Unauthorised use, circulation, copying or disclosure of any part of
this communication may be unlawful.
c) May be susceptible to interference and should not be assumed that it has
come in its original form and / or from the stated sender. If you are not
the intended recipient, please inform the sender immediately by email and
delete it and all copies from your system.****

** **

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-gibraltar/attachments/20130806/c7abe801/attachment.html>

More information about the Owasp-gibraltar mailing list