> -----Original Message-----
> From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
> Ian Bagley pressed the little lettered thingies in this order...
> > One thing which would prevent hijacks from simply guessing SIDS 
> would be to
> > add an md5 hash to the end of a url.... 
> > 
> > 
> > Ian
> This thread isn't about "guessing" a session ID, it's about "stealing" a 
> session ID.  The same asnwer applies to your response as to the 
> original question.
> There was a thread about this just a few days ago, but the answer for 
> *most* applications is an astounding, "NO."  Unless you are running the 
> entire transaction through SSL, any packet sniffer on the network can 
> view, steal and use ANYTHING you send over the netowrk (including the 
> value of a session ID that is being sent as a cookie value, the username 
> and password for a telnet session, the username and password for an 
> FTP session, etc). Packet sniffers are incredibly easy to find, get and 
> use (even for "script kiddies"). If your session data is *that* 
> vital, you 
> should consider using SSL.
> This is likely to be true as long as HTTP transmissions are stateless.
> Christopher Ostmo

Indeed, SSL is the only way to properly protect from 'stealing' a SID, but still, the 
MD5 solution does tend to protect the integrity of the query string. The other day I 
was using a SSL connection to a web site which was passing an insurance premium from 
one page to another and guess what? yep! I could change the premium to just 1 pence! 
and it was quite happy to take me through to the credit card transaction site and 
prepere to bill me for 1p! Needless to say I didn't transact! And I won't mention the 
URL! I guess this is more like session sado-masachism than hijacking?


Reply via email to