--
James A. Donald wrote:
Adversary accesses web site as if about to log in,
gets a session ID. Then supplies false information
to someone else's browser, causes that browser on
some one else's computer to use that session ID.
Someone else logs in with hacker's session ID, and
now the adversary is logged in.
Michael Cordover
Question: how does one convince the victim's browser
to use the malicious ID?
Assuming we can intercept and modify cleartext, no
problem. There are also several other ways that do not
require such man in the middle attack,
For example, the adversary might represent himself as
selling some item for egold. The victim clicks on the
egold link on the adversary's web page, but it is a
session fixation link which looks something like this.
a
href=http://e-gold/index.php?PHPSESSID=64383-34324-9874
37
As a result, when the victim logs in to egold, logs in
to the genuine e-gold. not a phishing site, he logs the
adversary in. Adversary then drains all of user's
account. (Assuming that e-gold is vulnerable to session
fixation.)
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
/xB6pMv9fT1fIGlyhzRyAjdO+X1POcedv7maASR+
4rXw3i2fw8a6eXIV31Rc11GLSM+BsAqwdlNX3AVVO
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]