[OWASP-Security101] SESSION HIJACKING ISSUE

Anand Deshmukh anandkumardeshmukh at gmail.com
Thu Mar 1 09:40:33 UTC 2018


Hi Abbas,

Thanks for your quick response. As i am on tour and has limited access to
internet, i could not able to read your mail.

As you said there is nothing to do much in this case, if i understood in
correct manner. Also if we go and bind IP then scenario one will not get
fixed as in scenario one IP would be the same only browser is different.


Thanks again.

*Anand Deshmukh*

On Thu, Mar 1, 2018 at 10:01 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> Hello,
> Basically if the session ID is stolen, there's not much you can do about
> it.
>
> One thing is to check for the source IP, and if it's different, use an
> algorithm to decide what to do. For example, facebook and gmail do this.
> However, you don't want to be super restrictive because user IPs can change
> in one session, albeit slightly.
>
> Another possibility is to check for browser type (user-agent header) and
> if it changes, then block it. That might be useful but an attacker will
> usually also mimic the user-agent header, so the server doesn't have an
> easy way of differentiating him.
>
> Regards
> -A
>
>
> > On Feb 28, 2018, at 11:19 PM, Anand Deshmukh <
> anandkumardeshmukh at gmail.com> wrote:
> >
> > Hi,
> >
> > Basically, i am a consultant and work on project basis.
> >
> > Application security is a new domain for me and i am trying by best to
> > deliver services to my clients in AppSec domain. Currently i am working
> on
> > one of the assignment for my client and I found that there is a confirm
> > vulnerability of session HiJacking. I found this with the help of Burp
> > Suite.
> >
> > To brief about scenario, following are the details. Application is
> > developed by Java and its web based application. *FoxyProxy is configured
> > in both browsers and All the traffic is monitored using the "Burp Suite"
> or
> > passing through the "Burp Suite"*.
> >
> > Scenario - 1
> >
> > 1) I have logged in to Firefox or any browser with User "A" as privileged
> > user and obviously "A" would be having more information/ options
> comparing
> > to any normal user .
> > 2) Now i have logged in with user "B" in different browser. User "B" is
> > normal user and has less privileges comparing to User "A"
> >
> > 3) Now with the help of Burp Suite, i have identified the authentication
> > session which has User "A" credentials and the Session ID. By using the
> > "Show Response in Browser", which is available in Burp Suite. I tried to
> > copy the complete session details and tried to run in browser, where User
> > "B" is logged in.
> >
> > 4) Browser has allowed me to login and it shows the User "A" is logged
> in.
> > This means the same credentials and session ID has been used to login
> with
> > the User "A" in different browser and browser has allowed the same
> without
> > asking any credentials.
> >
> > Here my suggestions are as follows to my client.
> >
> > 1) The same session ID can't be used to initiate the same session in
> > different browser.
> > 2) In such cases browser should prompt for authentication of user.
> >
> >
> > Scenario - 2
> >
> > 1) Application is same, instead of using the two different browsers.
> Here i
> > have used two different systems.
> > 2) Here user "A" is logged on to system "X" with any of the browser
> > 3) User "B" is logged on to system "Y" with any of the browser
> > 4) I can replace the session ID for of User "A" in system "Y" where User
> > "B" is already logged in and i can see the browser shows that User "A" is
> > successfully logged in on system "Y"
> >
> > My observations for this scenario - 2
> >
> > 1) Here i am able to login as User "A" by replacing Session ID without
> any
> > authentication and browser should not allow this.
> >
> >
> > I request you to share, how do i fix this issue or suggest to fix this
> > issue. I would be great for the support.
> >
> >
> > --
> > Anand Deshmukh
> > *MCSA,MCTS,CISA,COBIT 5 (F),CPISI*
> > _______________________________________________
> > Security101 mailing list
> > Security101 at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/security101
> > List Run By OWASP
>
>


More information about the Security101 mailing list