All geek questions in one place

Culinary session Is this a security risk?

http://msdn.microsoft.com/en-us/library/aa479314.aspx

You have a user who successfully logged in to Cybercafe from a computer, Hacker H was able to sniff the network and get the user's session ID, can H use sessionId and act as a user from another computer?

Can H enter http://folder/(session id)/CreditCardInformation.aspx find out the user's credit card number?

+4
source share
4 answers

I'm a little worried that no one has listed these 2 attacks:

1) Session Fixing A hacker displays your website and receives one of these session URLs. He then sends a lot of fake emails to potential users so that they appear as if they were coming from your site. An email is requested in the email and the attacker is given the session URL. The attacker then periodically checks the session URL to verify that someone is authenticated. If they are, then the attack succeeded, and the hacker simply stole the account. To fix this problem is to save the user's IP address in the session variable during creation and check it for each request. If you transfer only the session identifier via Cookie, the attacker cannot set the cookie value in another browser for a domain that he does not control, therefore this attack cannot be performed.

2) Printer : Sometimes people print a page from a website. Do you ever look at the very bottom of a page printed from a website? Well, usually the URL on the page. If you print the page and then pass it on to someone, you simply write down your username / password and pass them on to them.

Avoid session urls at all costs.

Use SSL for the entire session. If you do not, you will skip the session ID (this is true if you use a cookie!). This use of ssl is a clear requirement of the OWASP Top 10 Best in 2010 OUASP A3 “Authentication and Session Management Violation”.

+1
source

Well, it depends on many things.

Basically, YES, if you know the URL, you can see what it costs. A hacker will be able to do whatever he wants if he has a session identifier.

A cookie-based session identifier can also be intercepted by a hacker if he / she has access to the http stream.

However, there are several additional securities that can be put into effect. For instance:

  • (session id) should only be valid for a short period
  • (session identifier) ​​can only be valid for a specific IP (the IP that created the session)
  • (session identifier) ​​can only be valid for a specific version of user-agent / flash // signature.
  • (session identifier) ​​can be changed for each new page view, not taking into account the previous session_id

When processing credit card information

  • Always use https. This is more secure because data is encrypted between at least the browser and the first https proxy on the route to the server.
  • The case when you need to manipulate credit card information is rare. Credit card processing sites themselves nowadays are increasingly forced to respect PCI / DSS rules, which can be quite complex. You should probably get a contract with a banking solution in which a credit card will be sent to their web pages or, for example, use paypal.
  • Never store credit card information in your database if you do not have the necessary security solutions, with regular external audits.

The following link may give you more information about the best session id methods.

I hope this helps you Jerome WAGNER

+4
source

Yes.

If a hacker gets your session ID, he can do anything you can do on this website.

To prevent this, the authentication form and all subsequent pages are always served via https. Among other things, https eliminates (or at least reduces) a person in medium attacks.

+1
source

In a word, yes, for the reasons described by other posters.

Of course, if you use an unencrypted HTTP connection to transmit credit card information, he will be able to sniff this credit card information directly no matter what session information you enter. You need to implement ssl / https no matter what session method you use.

0
source

Source: https://habr.com/ru/post/1307036/

More articles:


All Articles