Theft cookie ID - counting

Question

Theft cookie ID - counting

It is easy to steal cookies with a JavaScript session ID with javascript features installed on trusted sites by other users. What are the possible countermeasures for this kind of attack?

Rejecting all client-side javascripts is probably difficult because almost all sites use js. What are the possible server side countermeasures? Is it possible to include the hash of the client IP address in the session ID value to prevent the use of a valid session ID from another host? Does this approach make sense?

One of the resources mentioned in your valuable answers suggests a solution in which the session ID changes after each request. Is such a feature already supported by application servers / frameworks? In particular, what about Django / python?

+4

javascript security session-hijacking

paweloque Jan 24 '11 at 15:10

source share

5 answers

It is inconvenient to do IP session matching because you have no guarantee that people do not use proxies, and these proxies can easily change IP addresses.

The best you can do is use SSL and make your cookies HTTP-only .

+4

jvenema Jan 24 '11 at 15:19

source share

You want to indicate that some cookies are for a host, domain, subdomain, or something else. Cookies support this.

I don’t think you can access cookies from other domains.

+2

Matías Fidemraizer Jan 24 '11 at 15:18

source share

Install only javascript that you trust. Check the source code (maybe use some kind of XSS scanner) if you are not sure about the code.
filter your javascript (from input) using, for example, this simple javascript snippet:
sanitize function (html) {
`return String (html)
.replace (/ & (?! \ w +;) / g, '&')
. Put on (/ .replace (/ "> / g, '>')
.replace (/ "/ g, '"');
}

You MUST also have good filtering (input) on the server side. For example, PHP filter extension .

Use http-only cookie .
Use SSL.

+1

Alfred Jan 24 '11 at 15:25

source share

This is called XSS . The best solution to prevent JavaScript from being placed on clients in the first place.

~~An interesting solution is to provide token-based authentication for each user operation.~~ ~~See the OWASP CSRF page for more information.~~

Edit: As the comment says, the token will not help mitigate the problem of session hijacking. As the Wikipedia article Session Capture says, the best solution is to rotate the session ID, which is possible with every page reload.

+1

vz0 Jan 24 '11 at 15:25

source share

HoLyVieR · Accepted Answer · 2011-01-24T15:24:01+0000

Is it possible to enable the hash of the client ip address in the session id to exclude the session identifier being used from another host? Does this approach make sense?

This may block session capture in a situation, but in a situation where the attacker computer and the victim computer are on the same network, it will not do anything, since the connection is from the same IP address.

What are the possible server side countermeasures?

Using SSL will help prevent session hijacking if a person is connected to a public network.

You can view your code and make sure that the code is missing XSS .

You can also verify that the cookie used to store the session has the HTTP Only flag.

Theft cookie ID - counting

More articles: