[Owasp-testing] Copy Cookies

Stephen de Vries stephen at twisteddelight.org
Thu Jul 22 04:46:01 EDT 2010

On Jul 22, 2010, at 9:54 AM, Dave van Stein wrote:
> 2010/7/22 Stephen de Vries stephen at twisteddelight.org
> I wouldn't really call this a vulnerability, it's how 99% of the web applications on the internet work.  
> And 95% of the application accept and use user input unvalidated ... Is that not a vulnerability either then ?
> Session hijacking IS a vulnerability. You can prevent it and it should be prevented.

I didn't claim the contrary.  The original poster described taking a session cookie (not mentioning where he got it) and then using it in another browser to get access to another user's session.  This is like saying every app on the internet is vulnerable to authentication hijacking, because if I take your username and your password then I can login as you!  

What I was saying was that the controls around the session ID are focussed on preventing attackers from getting hold of the session ID in the first place.  Very few "high value" apps will need to defend against attacks where the attacker has already got hold of the session ID.

The advice you posted is nice and complete, I agree 100% - and I like that you qualified some of the controls with: "...for high value applications...", which shows that for other apps some of those controls are overkill. 

More information about the Owasp-testing mailing list