Abbas Naderi abiusx at owasp.org
Thu Mar 1 04:31:07 UTC 2018

Basically if the session ID is stolen, there's not much you can do about it.

One thing is to check for the source IP, and if it's different, use an algorithm to decide what to do. For example, facebook and gmail do this. However, you don't want to be super restrictive because user IPs can change in one session, albeit slightly.

Another possibility is to check for browser type (user-agent header) and if it changes, then block it. That might be useful but an attacker will usually also mimic the user-agent header, so the server doesn't have an easy way of differentiating him.


> On Feb 28, 2018, at 11:19 PM, Anand Deshmukh <anandkumardeshmukh at gmail.com> wrote:
> Hi,
> Basically, i am a consultant and work on project basis.
> Application security is a new domain for me and i am trying by best to
> deliver services to my clients in AppSec domain. Currently i am working on
> one of the assignment for my client and I found that there is a confirm
> vulnerability of session HiJacking. I found this with the help of Burp
> Suite.
> To brief about scenario, following are the details. Application is
> developed by Java and its web based application. *FoxyProxy is configured
> in both browsers and All the traffic is monitored using the "Burp Suite" or
> passing through the "Burp Suite"*.
> Scenario - 1
> 1) I have logged in to Firefox or any browser with User "A" as privileged
> user and obviously "A" would be having more information/ options comparing
> to any normal user .
> 2) Now i have logged in with user "B" in different browser. User "B" is
> normal user and has less privileges comparing to User "A"
> 3) Now with the help of Burp Suite, i have identified the authentication
> session which has User "A" credentials and the Session ID. By using the
> "Show Response in Browser", which is available in Burp Suite. I tried to
> copy the complete session details and tried to run in browser, where User
> "B" is logged in.
> 4) Browser has allowed me to login and it shows the User "A" is logged in.
> This means the same credentials and session ID has been used to login with
> the User "A" in different browser and browser has allowed the same without
> asking any credentials.
> Here my suggestions are as follows to my client.
> 1) The same session ID can't be used to initiate the same session in
> different browser.
> 2) In such cases browser should prompt for authentication of user.
> Scenario - 2
> 1) Application is same, instead of using the two different browsers. Here i
> have used two different systems.
> 2) Here user "A" is logged on to system "X" with any of the browser
> 3) User "B" is logged on to system "Y" with any of the browser
> 4) I can replace the session ID for of User "A" in system "Y" where User
> "B" is already logged in and i can see the browser shows that User "A" is
> successfully logged in on system "Y"
> My observations for this scenario - 2
> 1) Here i am able to login as User "A" by replacing Session ID without any
> authentication and browser should not allow this.
> I request you to share, how do i fix this issue or suggest to fix this
> issue. I would be great for the support.
> -- 
> Anand Deshmukh
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP

More information about the Security101 mailing list