[17364] in cryptography@c2.net mail archive
Re: What happened with the session fixation bug?
daemon@ATHENA.MIT.EDU (James A. Donald)
Sun Jun 5 03:01:28 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
Date: Sat, 04 Jun 2005 20:46:41 -0700
In-reply-to: <42A25C81.2090909@mjec.net>
--
James A. Donald wrote:
> > Adversary accesses web site as if about to log in,
> > gets a session ID. Then supplies false information
> > to someone else's browser, causes that browser on
> > some one else's computer to use that session ID.
> > Someone else logs in with hacker's session ID, and
> > now the adversary is logged in.
Michael Cordover
> Question: how does one convince the victim's browser
> to use the malicious ID?
Assuming we can intercept and modify cleartext, no
problem. There are also several other ways that do not
require such man in the middle attack,
For example, the adversary might represent himself as
selling some item for egold. The victim clicks on the
egold link on the adversary's web page, but it is a
session fixation link which looks something like this.
<a
href="http://e-gold/index.php?PHPSESSID=64383-34324-9874
37">
As a result, when the victim logs in to egold, logs in
to the genuine e-gold. not a phishing site, he logs the
adversary in. Adversary then drains all of user's
account. (Assuming that e-gold is vulnerable to session
fixation.)
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
/xB6pMv9fT1fIGlyhzRyAjdO+X1POcedv7maASR+
4rXw3i2fw8a6eXIV31Rc11GLSM+BsAqwdlNX3AVVO
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
