struts是个v层框架。这段东西没看懂啥意思。。。 貌似作者打算在通过验证后,新建一个sessionid。。。
感觉没啥必要。。。只要把当前session销毁。下次浏览自然会有新的sessionid出现。
俺英文不好,或许理解有误?在看看程序
/* Session ID Regeneration: Try #4 */
((SessionMap)this.session).invalidate();
//把当前的SESSION干掉,也就是说,之后会自动生成个新的session
this.session = ActionContext.getContext().getSession();
/* End Try #4 */
session.put("AUTHENTICATED", new Boolean(true));
//给新的session赋予通过验证的权利
看完后,想想,如果当前用户的session不被注销,我们该怎么攻击呢?
首先,当用户还只是普通浏览者的时候,我们截获了cookie里的sessionid。这时候截获的东西还没用,但是等他一旦登录了,就有用了。
当这台服务器只通过session判断权限,不使用cookie。
这个时候,sessionid就尤为重要了。如果验证后,session不被注销,那么当这个用户登录后,这个sessionid就一下子变成了已经登录的sessionid。
而我们之前刚巧已经截获了这个sessionid。
所以,我们可以写个东西,不断的将截获的sessionid,放到http包里,不断的请求后台某页面。说不定哪个session就去登录了。
既然能截获sessionid,为啥不截获点别的东西呢?想来肯定是我在应用方面的思路出现了问题。。。我再想想吧。。。上面的文字纯属忽悠。
嗯。。。这里肯定有盲目攻击得部分。
想想一种狭隘的环境:
管理员在登录后台前,必定是已经有了一个session了。他可能不是直接访问后台,而是先访问了前台。之后在后台操作,操作了就再也不访问前台了。。。
而我们可以在前台某处XSS。把所有的访问用户session都弄下来了。
这时候,如果程序在后台没有新生成session,而是直接在当前session中赋予管理权限,就可以搞了。
管理员登陆后,在不退出(不注销session)的情况下,session是不会变的。
我们已经有了这个session。。。
2008/9/5 大风 <[EMAIL PROTECTED]>
>
>
> Background
>
> Whenever a user crosses an authentication boundary, the user's session ID
> should be regenerated. This concept applies to a user logging into an
> application, logging out, or when a user reauthenticates due to a risk-based
> authentication process. The regeneration of session IDs is an important
> practice that helps eliminate session fixation vulnerabilities and may limit
> the impact of session theft vulnerabilities prior to authentication.
>
> For more information on Session Fixation vulnerabilities and Session ID
> regeneration practices, please see the OWASP pages below:
>
> http://www.owasp.org/index.php/Session_Fixation
>
> http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
>
> Session ID Regeneration in Traditional Java Web Applications
>
> In a J2EE application, the user's JSESSIONID cookie should be regenerated
> and the previous session should be removed or deleted from the server.
> Example code below shows how this might be accomplished in a traditional
> Java web application.
>
> public class ExampleLoginServlet extends HttpServlet {
>
> public void doGet(HttpServletRequest request, HttpServletResponse response)
>
> throws ServletException, IOException {
>
> if( //authentication was successful ) {
>
> request.getSession().invalidate();
>
> HttpSession session = request.getSession(true);
>
> session.setAttribute("AUTHENTICATED", new Boolean(true));
>
> response.sendRedirect("PageRequiringAuthentication.jsp");
>
> //Additional Code Would Normally Follow
>
> Session ID Regeneration in Struts 2 Applications
>
> In Struts 2 applications, developers typically don't directly interact with
> the HttpServletRequest, HTTPServletResponse, or HttpSession objects. With
> consideration of these factors, the solution discussed above for a
> traditional Java web application may not be appropriate for Struts 2.
>
> I did a little research and through trial an error I came up with a Struts
> 2 specific solution for regenerating JSESSIONIDs. This solution utilizes the
> SessionAware interface. Please excuse the unrealistic authentication code...
>
> package nickcoblentzblog.actions.sessions;
>
>
> import java.util.Map;
>
> import org.apache.struts2.interceptor.SessionAware;
>
> import com.opensymphony.xwork2.ActionContext;
>
> import com.opensymphony.xwork2.ActionSupport;
>
> import org.apache.struts2.dispatcher.SessionMap;
>
>
> public class Login extends ActionSupport implements SessionAware {
>
> private String userid;
>
> private String password;
>
> private Map session;
>
>
> public String execute() {
>
> if(userid.equals("admin") && password.equals("admin")) {
>
>
> /* Session ID Regeneration: Try #4 */
>
> ((SessionMap)this.session).invalidate();
>
> this.session = ActionContext.getContext().getSession();
>
> /* End Try #4 */
>
>
> session.put("AUTHENTICATED", new Boolean(true));
>
>
>
> return SUCCESS;
>
> }
>
> else
>
> return ERROR;
>
> }
>
> public String getUserid() {
>
> return userid;
>
> }
>
> public void setUserid(String userid) {
>
> this.userid = userid;
>
> }
>
> public String getPassword() {
>
> return password;
>
> }
>
> public void setPassword(String password) {
>
> this.password = password;
>
> }
>
>
> public void setSession(Map session) {
>
> this.session = session;
>
> }
>
> }
>
> To test this code, I followed the following procedure.
>
> 1. Cleared all browser cookies
> 2. Visited the Login JSP page
> 3. Used the Web Developer Toolbar to view my initial JSESSIONID
> 4. Logged into the application successfully
> 5. Used the Web Developer Toolbar to view my final JSESSIONID
>
> The initial JSESSIONID value was:
> AA4996C5E24BB8221BB27B23EA599F34
>
> The final JSESSIONID value was:
> 325ED18851B93EBA542D2AE7926E7F8E
>
> Based on these tests this solution appears to work successfully.
>
> In case anyone is curious, here are a couple other ideas I toyed with:
>
>
>
> /* Try # 1:
>
> this.request.getSession().invalidate();
>
> this.request.getSession(true);
>
> */
>
>
> /* Try #2:
>
> HTTPUtilities esapiHTTPUtilities = ESAPI.httpUtilities();
>
> esapiHTTPUtilities.setCurrentHTTP(request, response);
>
> try {
>
> esapiHTTPUtilities.changeSessionIdentifier();
>
> }
>
> catch(Exception e) {
>
> e.printStackTrace();
>
> }
>
> */
>
>
> /* Try #3:
>
> ((SessionMap)ActionContext.getContext().getSession()).invalidate();
>
> */
>
> Posted by Nick Coblentz
>
>
>
>
>
>
>
> *[Ph4nt0m] <http://www.ph4nt0m.org/> *
>
> *[Ph4nt0m Security Team]*
>
> * [EMAIL PROTECTED] <http://blog.ph4nt0m.org/>*
>
> * Email: [EMAIL PROTECTED]
>
> * PingMe:
> <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wuhq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
> *
>
> * **=== V3ry G00d, V3ry Str0ng ===***
>
> * === Ultim4te H4cking ===*
>
> * === XPLOITZ ! ===*
>
> * === #_# ===*
>
> *#If you brave,there is nothing you cannot achieve.#*
>
>
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
