[Owasp-singapore] Security concern on IE8 session merging
gtanuel at gmail.com
Fri Aug 27 22:31:16 EDT 2010
I just recently came to know about IE8 session merging behavior. I
tried to look for more info if this was already highlighted/addressed
from a web vulnerability assessment perspective, but couldn't find
anything substantial so far. Does anyone nowadays check for HTML5
sessionStorage usage for authenticating a session during their
assessments, i.e. does anyone see this as a requirement?
A simple example would be:
1. Attacker gains access to unlocked machine.
2. Open IE.
2. Create a WSH script e.g. C:\test.js containing the following
3. Run it, then delete it.
4. Close IE, leave and wait.
The script will make one hidden IE instance to make non-persistent
cookies maintained even when user doesn't specifically asks for it
("Keep me logged in" checkbox).
Any input, especially when it comes to an assessment?
More information about the Owasp-singapore