Ah, please send more emails explaining the faults of retarded programmers and serious vulnerabilities, and then link to an owasp page.
Can you explain HTTPOnly cookies to me? I will only accept your explanation if you can justify an impact of Critical, a likelihood of High and a severity of High? fuq'in kidz... On Wed, Jul 11, 2012 at 11:20 PM, Gökhan Muharremoğlu <[email protected]> wrote: > > This article explains how this vulnerability works with Session Fixation > attack. > https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003) > >> From: [email protected] >> To: [email protected] >> Date: Wed, 11 Jul 2012 11:34:11 +0300 >> Subject: [Full-disclosure] Predefined Post Authentication Session ID >> Vulnerability > >> >> Vulnerability Name: Predefined Post Authentication Session ID >> Vulnerability >> Type: Improper Session Handling >> Impact: Session Hijacking >> Level: Medium >> Date: 10.07.2012 >> Vendor: Vendor-neutral >> Issuer: Gokhan Muharremoglu >> E-mail: [email protected] >> >> >> VULNERABILITY >> If a web application starts a session and defines a session id before a >> user >> authenticated, this session id must be changed after a successful< br>> >> authentication. If web application uses the same session id before and after > >> authentication, any legitimate user who has gained the "before >> authentication" session id can hijack future "after authentication" >> sessions >> too. >> >> >> Vulnerable Login Page & Session ID before Authentication >> (Status-Line) HTTP/1.1 200 OK >> Server Apache/2.2.3 (CentOS) >> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/ >> Expires Thu, 19 Nov 1981 08:52:00 GMT >> Cache-Control no-store, no-cache, must-revalidate, post-check=0, >> pre-check=0 >> Pragma no-cache >> Content-Type text/html >> Content-Length 308 >> Date Tue, 10 Jul 2012 06:16:57 GMT >> X-Varnish 1922993981 >> Age 0 >> Via 1.1 varnish >> Connection keep-alive >> >> >> Vulnerable Login Page & Authentication Request >> (Request-Line) POST /io sec_login_vulnerable.php HTTP/1.1 > >> Host www.iosec.org >> User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25) >> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E) >> Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3 >> Accept-Encoding gzip,deflate >> Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7 >> Keep-Alive 115 >> Connection keep-alive >> Referer http://www.iosec.org/iosec_login_vulnerable.php >> Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2 >> Content-Type application/x-www-form-urlencoded >> Content-Length 42 >> POST DATA >> user gokhan >> pass muharremoglu >> submit Login >> >> >> Vulnerable Login Page & Session ID after Authentication >> (Status-Line) HTTP/1.1 200 OK >> Server Apache/2.2.3 (CentOS) >> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/ >> Expires Thu, 19 Nov 1981 08:52:00 GMT >> Cache-Control no-store, no-cache, must-revalidate, post-check=0, >> pre-check=0 >> Pragma no-cache >> Content-Type text/html >> Content-Length 308 >> Date Tue, 10 Jul 2012 06:16:57 GMT >> X-Varnish 1922993981 >> Age 0 >> Via 1.1 varnish >> Connection keep-alive >> >> >> MITIGATION >> To avoid this vulnerability, sessions must be regenerated after a >> successful >> login. In a session fixation attack, attacker fixates (sets) another >> person's (victim's) session identifier because of "never regenerated and >> validated" session id and this vulnerability can also lead to the Session >> Fixation attack. >> >> _______________________________________________ >> Full-Discl osure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
