Web Application Security

Question

Web Application Security

I am testing a web application for security holes, and I came across the following two cases.

Using a proxy server, I intercept all requests received by the application and save all cookies. Using these saved cookies, I can restore the session to another machine and access the user's personal information without additional authentication. I think that any administrator could pull out such things and gain access to the personal information of all users on the network.
Same as in case 1, but I can restore the session on another machine even after the original user logged off correctly. those. the session seems to remain valid on the server even after the original user logs out, and all cookies associated with the session are deleted on the client side.

I am pretty sure Case 2 is a security flaw in a web application. I am wondering if case 1 can also technically be considered a vulnerability in a web application. If so, what are some ways to fix this?

+3

web-applications cookies session

Vivek Nov 09 '10 at 9:25

source share

4 answers

SSL , .

, IP- , .. , , , , . , .

0

drew 09 . '10 10:02

(1) -, . , , .

. , (: 3 ), .

-. - , .

0

sentiao 09 . '10 10:03

, 1 , , . ? , , , .

, , , ro record user agent, . , , - , , , .

IP- , betwen, , - .

if ( ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) )
die( "{ 'succes': false , 'text' : 'Please re-log in.' );

0

alanboy 09 . '10 11:59

olivervbk · Accepted Answer · 2010-11-09T11:25:42+0000

1. , sysadmin , sysadmin .

, , , sysadmin , ( , - ), / HTTPS.

, , cookie HTTPS, ( man-in-the-middle).

2. . 1, (- cookie).

: / HTTPS, - WHOLE , , cookie, - .

, ( -, ). , , , - .

ip, cookie ip, , NAT .

: . , - . WAP.

Web Application Security

More articles: