[Owasp-testing] Copy Cookies
lode at vanstechelman.eu
Mon Jul 26 12:00:54 EDT 2010
There are other ways than the IP address which you can use to track a
specific client instance.
I recently read a paper which used many things like installed fonts in the
browser, available browser plugins, browser language, java vm version, and
many more to build a huge browser identifier.
According to the paper, it was possible to distinguish browser even when
using NoScript, cleaning headers or by using Tor.
I'm not sure whether there already exists an implementation which you can
use, but it can give you usable ideas:
On 22 July 2010 19:10, Dave van Stein <dvstein at gmail.com> wrote:
> 2010/7/22 Bil Corry <bil at corry.biz>
> Dave van Stein wrote on 7/22/2010 12:50 AM:
>> > All session tokens in high value applications SHOULD be tied to a
>> > HTTP client instance (session identifier and IP address).
>> There are some clients that sit behind a multi-IP proxy where each request
>> originates from a different IP address. AOL used to employ such a system.
>> Those clients, if they're important, must have an alternate system
>> available that doesn't rely on the IP address (or allows more than one).
>> > Each form or page nonce SHOULD be removed from the active list as soon
>> as it
>> > is submitted.
>> If the nonce is rotated for each request, know that it will break the
>> browser history (e.g. back button). The impact to the user can be minimized
>> by requiring they re-authenticate, then automatically perform the original
>> - Bil
> Like I said earlier that was just a copy/paste from the Testing Guide as
> sample examples for minimizing the risk of session hijacking. As with every
> problem and solution you should always find a balance between security,
> functionality, usability and performance.
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing