[Owasp-testing] Copy Cookies

Stephen de Vries stephen at twisteddelight.org
Thu Jul 22 05:35:39 EDT 2010


Zaki, 

Your question was answered by Dave, the response below is purely for academic interest and Dave and I are essentially splitting hairs over definitions :)

On Jul 22, 2010, at 11:19 AM, Dave van Stein wrote:

> In order for this trust to be legitimate the application should have a mechanism to validate the authenticity of this token. Just accepting any token that happens to be an active token is like only asking for a username (and no password) and assuming everybody will only use his/her username.

...IF and only IF we also assumed that users picked a 128 bit random username every time, in which case, the app has the same level of security (or insecurity) as a traditional web app that used a 128bit random session ID.
 
> What I was saying was that the controls around the session ID are focussed on preventing attackers from getting hold of the session ID in the first place.  Very few "high value" apps will need to defend against attacks where the attacker has already got hold of the session ID.
> Oh, I agree on that one. For most applications it is sufficient to use an unpredictable token, protect it and limiting the lifespan. Nonetheless session hijacking remains a vulnerability but with an acceptable residual risk.

<insert head nodding>



More information about the Owasp-testing mailing list