You'd need to clarify a few things. With quite a few assumptions, here are a
couple of options I can provide.
If you've development bandwidth available, start encrypting end to end
(assuming SSL is not an option).
If as a user you are asking what can be done to mitigate such a threat, then
the short answer is to setup a tunnel closer to the server, away from the MITM
(assuming the MITM is not on the server) and then connect to the tunnel. The
MITM will get encrypted content and won't know where the tunnel terminates.
Alternatively, setup an instance on a public cloud and RDP/ssh into the
instance and connect to the server from that instance.
Thanks,Vinil
From: Amit Saini <call4a...@gmail.com>
To: reuben kurien <reubengkur...@gmail.com>
Cc: owasp-delhi@lists.owasp.org
Sent: Tuesday, July 7, 2015 9:56 PM
Subject: Re: [OWASP-Delhi] OWASP-Delhi Digest, - How can we mitigate session
hijacking if the application is on HTTP and MITM is there
Thanks Reuben for the reply.
The application allows multiple concurrent sessions.....Bad luck though :(
I tried hard but I found that its almost impossible to to mitigate session
hijacking if MITM is done.
Thanks again...
Regards
Amit Saini
On Tue, Jul 7, 2015 at 9:29 PM, reuben kurien <reubengkur...@gmail.com> wrote:
Hi Amit,Just a suggestion. Would it be possible to restrict the use of
concurrent sessions in your instance? Implementing such checks may help prevent
multiple application connections purportedly originating from the same user
identity.Regards,
ReubenHi Friends,
How can we mitigate/stop session hijacking if the application is on HTTP and
MITM is already there?
Regards
Amit Saini
On Mon, Jul 6, 2015 at 5:30 PM, <owasp-delhi-requ...@lists.owasp.org> wrote:
Send OWASP-Delhi mailing list submissions to
owasp-delhi@lists.owasp.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.owasp.org/mailman/listinfo/owasp-delhi
or, via email, send a message with subject or body 'help' to
owasp-delhi-requ...@lists.owasp.org
You can reach the person managing the list at
owasp-delhi-ow...@lists.owasp.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of OWASP-Delhi digest..."
Today's Topics:
1. Re: How to implement ASLR & DEP in C# thick client
applications? (Dhruv Soi)
2. Re: How to implement ASLR & DEP in C# thick client
applications? (sanjay kumar)
3. Re: How to implement ASLR & DEP in C# thick client
applications? (Dhruv Soi)
----------------------------------------------------------------------
Message: 1
Date: Sun, 5 Jul 2015 16:00:02 +0400
From: Dhruv Soi <dhruv....@owasp.org>
To: sanjay kumar <sanjay1519...@gmail.com>
Cc: owasp-delhi <owasp-delhi@lists.owasp.org>
Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
client applications?
Message-ID:
<CA+Rr0=6x1t9bxzmvcm1842orwat0ebxkpog2xhe3uajc2p1...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
http://www.lmgtfy.com/?q=aslr+c%23
On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519...@gmail.com> wrote:
> Hi,
>
> Does anyone knows how to implement ASLR (Address Space Layout
> Randomization), DEP (Data Execution Prevention) in thick client application
> based on C#?
>
> If it cannot be implement then what is the risk in applications which
> developed in C#?
>
> Regards,
>
> Sanjay Kumar
>
>
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
------------------------------
Message: 2
Date: Mon, 6 Jul 2015 12:05:41 +0530
From: sanjay kumar <sanjay1519...@gmail.com>
To: Dhruv Soi <dhruv....@owasp.org>
Cc: owasp-delhi <owasp-delhi@lists.owasp.org>
Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
client applications?
Message-ID:
<CAPHKmPMkf51EEqDY8KOjHn70AdPjcdQa=7ht3a5qp8txb_q...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Thanks Dhruv,
But the question is for c#, I dint find such specific result for tht.
On Sunday, July 5, 2015, Dhruv Soi <dhruv....@owasp.org> wrote:
> http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
>
> http://www.lmgtfy.com/?q=aslr+c%23
>
> On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519...@gmail.com
> <javascript:;>> wrote:
> > Hi,
> >
> > Does anyone knows how to implement ASLR (Address Space Layout
> > Randomization), DEP (Data Execution Prevention) in thick client
> application
> > based on C#?
> >
> > If it cannot be implement then what is the risk in applications which
> > developed in C#?
> >
> > Regards,
> >
> > Sanjay Kumar
> >
> >
> >
> > _______________________________________________
> > OWASP-Delhi mailing list
> > OWASP-Delhi@lists.owasp.org <javascript:;>
> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> > Twitter: https://twitter.com/OWASPdelhi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150706/09d325c4/attachment-0001.html>
------------------------------
Message: 3
Date: Mon, 6 Jul 2015 12:04:03 +0400
From: Dhruv Soi <dhruv....@owasp.org>
To: sanjay kumar <sanjay1519...@gmail.com>
Cc: owasp-delhi <owasp-delhi@lists.owasp.org>
Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
client applications?
Message-ID:
<CA+Rr0=67-k-=oarqeo67oag-ekz0afe6ros9gcurofykobr...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hope these helps.
https://msdn.microsoft.com/en-us/library/microsoft.visualstudio.vcprojectengine.vclinkertool.randomizedbaseaddress.aspx
https://msdn.microsoft.com/en-us/library/bb384887.aspx
https://msdn.microsoft.com/en-us/library/dn195771.aspx
https://msdn.microsoft.com/en-us/library/hh156527.aspx
On Mon, Jul 6, 2015 at 10:35 AM, sanjay kumar <sanjay1519...@gmail.com> wrote:
> Thanks Dhruv,
>
> But the question is for c#, I dint find such specific result for tht.
>
>
> On Sunday, July 5, 2015, Dhruv Soi <dhruv....@owasp.org> wrote:
>>
>> http://www.lmgtfy.com/?q=threats+of+no+aslr+in+applications
>>
>> http://www.lmgtfy.com/?q=aslr+c%23
>>
>> On Fri, Jul 3, 2015 at 12:16 PM, sanjay kumar <sanjay1519...@gmail.com>
>> wrote:
>> > Hi,
>> >
>> > Does anyone knows how to implement ASLR (Address Space Layout
>> > Randomization), DEP (Data Execution Prevention) in thick client
>> > application
>> > based on C#?
>> >
>> > If it cannot be implement then what is the risk in applications which
>> > developed in C#?
>> >
>> > Regards,
>> >
>> > Sanjay Kumar
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Delhi mailing list
>> > OWASP-Delhi@lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> > Twitter: https://twitter.com/OWASPdelhi
------------------------------
_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
End of OWASP-Delhi Digest, Vol 84, Issue 5
******************************************
_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi
_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi
_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi
