xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx On Thu, Jul 12, 2012 at 2:15 PM, <generic...@hushmail.com> wrote: > Benji, > > Do you write anything but scathing criticism? I've never seen you > contribute anything of use to this list. You must be a real pleasure in > person. > > > Sent using Hushmail > > > > On 07/12/2012 at 4:52 AM, Benji <m...@b3nji.com> wrote: > > Ah, please send more emails explaining the faults of retarded > programmers and serious vulnerabilities, and then link to an owasp > page. > > Can you explain HTTPOnly cookies to me? I will only accept your > explanation if you can justify an impact of Critical, a likelihood of > High and a severity of High? > > fuq'in kidz... > > On Wed, Jul 11, 2012 at 11:20 PM, Gökhan Muharremoğlu > <gokhan.muharremo...@iosec.org> wrote: >> >> This article explains how this vulnerability works with Session Fixation >> attack. >> >> https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003) >> >>> From: gokhan.muharremo...@iosec.org >>> To: full-disclosure@lists.grok.org.uk >>> Date: Wed, 11 Jul 2012 11:34:11 +0300 >>> Subject: [Full-disclosure] Predefined Post Authentication Session ID > >>> Vulnerability >> >>> >>> Vulnerability Name: Predefined Post Authentication Session ID >>> Vulnerability >>> Type: Improper Session Handling >>> Impact: Session Hijacking >>> Level: Medium >>> Date: 10.07.2012 >>> Vendor: Vendor-neutral >>> Issuer: Gokhan Muharremoglu >>> E-mail: gokhan.muharremo...@iosec.org >>> >>> >>> VULNERABILITY >>> If a web application starts a session and defines a session id before a >>> user >>> authenticated, this session id must be changed after a successful< br>> > >>> authentication. If web application uses the same session id before and >>> after >> >>> authentication, any legitimate user who has gained the "before >>> authentication" session id can hijack future "after authentication" >>> sessions >>> too. >>> >>> >>> Vulnerable Login Page & Session ID before Authentication >>> (Status-Line) HTTP/1.1 200 OK >>> Server Apache/2.2.3 (CentOS) >>> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/ >>> Expires Thu, 19 Nov 1981 08:52:00 GMT >>> Cache-Control no-store, no-cache, must-revalidate, post-check=0, >>> pre-check=0 >>> Pragma no-cache >>> Content-Type text/html >>> Content-Length 308 >>> Date Tue, 10 Jul 2012 06:16:57 GMT >>> X-Varnish 1922993981 >>> Age 0 >>> Via 1.1 varnish >>> Connection keep-alive >>> >>> >>> Vulnerable Login Page & Authentication Request >>> (Request-Line) POST /io sec_login_vulnerable.php HTTP/1.1 > >> >>> Host www.iosec.org >>> User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25) >>> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E) >>> Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >>> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3 >>> Accept-Encoding gzip,deflate >>> Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7 >>> Keep-Alive 115 >>> Connection keep-alive >>> Referer http://www.iosec.org/iosec_login_vulnerable.php >>> Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2 >>> Content-Type application/x-www-form-urlencoded >>> Content-Length 42 >>> POST DATA >>> user gokhan >>> pass muharremoglu >>> submit Login >>> >>> >>> Vulnerable Login Page & Session ID after Authentication >>> (Status-Line) HTTP/1.1 200 OK >>> Server Apache/2.2.3 (CentOS) >>> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/ >>> Expires Thu, 19 Nov 1981 08:52:00 GMT >>> Cache-Control no-store, no-cache, must-revalidate, post-check=0, >>> pre-check=0 >>> Pragma no-cache >>> Content-Type text/html >>> Content-Length 308 >>> Date Tue, 10 Jul 2012 06:16:57 GMT >>> X-Varnish 1922993981 >>> Age 0 >>> Via 1.1 varnish >>> Connection keep-alive >>> >>> >>> MITIGATION >>> To avoid this vulnerability, sessions must be regenerated after a >>> successful >>> login. In a session fixation attack, attacker fixates (sets) another >>> person's (victim's) session identifier because of "never regenerated and >>> validated" session id and this vulnerability can also lead to the Session >>> Fixation attack. >>> >>> _______________________________________________ >>> Full-Discl osure - We believe in it. > >> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/