--
James A. Donald wrote:
> > Adversary accesses web site as if about to log in, 
> > gets a session ID.  Then supplies false information 
> > to someone else's browser, causes that browser on 
> > some one else's computer to use that session ID. 
> > Someone else logs in with hacker's session ID, and 
> > now the adversary is logged in.

Michael Cordover
> Question: how does one convince the victim's browser 
> to use the malicious ID?

Assuming we can intercept and modify cleartext, no 
problem.  There are also several other ways that do not 
require such man in the middle attack,

For example, the adversary might represent himself as 
selling some item for egold.  The victim clicks on the 
egold link on the adversary's web page, but it is a 
session fixation link which looks something like this.

<a 
href="http://e-gold/index.php?PHPSESSID=64383-34324-9874 
37">

As a result, when the victim logs in to egold, logs in 
to the genuine e-gold. not a phishing site, he logs the 
adversary in. Adversary then drains all of user's 
account.  (Assuming that e-gold is vulnerable to session 
fixation.) 

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     /xB6pMv9fT1fIGlyhzRyAjdO+X1POcedv7maASR+
     4rXw3i2fw8a6eXIV31Rc11GLSM+BsAqwdlNX3AVVO


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to