[Owasp-singapore] Security concern on IE8 session merging

Ganius Tanuel gtanuel at gmail.com
Fri Aug 27 22:31:16 EDT 2010


Hi folks,

I just recently came to know about IE8 session merging behavior. I
tried to look for more info if this was already highlighted/addressed
from a web vulnerability assessment perspective, but couldn't find
anything substantial so far. Does anyone nowadays check for HTML5
sessionStorage usage for authenticating a session during their
assessments, i.e. does anyone see this as a requirement?

A simple example would be:
1. Attacker gains access to unlocked machine.
2. Open IE.
2. Create a WSH script e.g. C:\test.js containing the following
WScript.CreateObject("InternetExplorer.Application")
3. Run it, then delete it.
4. Close IE, leave and wait.

The script will make one hidden IE instance to make non-persistent
cookies maintained even when user doesn't specifically asks for it
("Keep me logged in" checkbox).

Any input, especially when it comes to an assessment?

Regards,
G. Tanuel


More information about the Owasp-singapore mailing list