Study research project about session cookies, SSL and session hijacking

Hanno's Blog

Tuesday, January 13. 2009

Study research project about session cookies, SSL and session hijacking

In the last weeks, I made a study research project at the EISS at the University of Karlsruhe. The subject was »Session Cookies and SSL«, investigating the problems that arise when trying to secure a web application with HTTPS and using session cookies.

I already wrote about this in the past, presenting vulnerabilities in various web applications.

One of the notable results is probably that ebay has just no measurements against those issues at all, so it's pretty trivial to hijack a session (and use that to do bids and even change the address of the hijacked account).

Download »Session Cookies and SSL« (PDF, 317 KB)
Posted by Hanno Böck in Code, English, Security at 23:38 | Comments (5) | Trackback (1)
Defined tags for this entry: , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

Links - 24.01.2009
Nach langer Zeit komme ich auch mal wiederzum Auswerten von Links. Allerdings werden auch die nächsten Wochen nicht wirklich entspannter für mich.Die Kompetenzbündelung (ich bin nicht bei einer Beraterfirma eingestiegen, keine Sorge) von Bertelsmann kur
Weblog: emplify
Tracked: Jan 24, 17:11

Comments
Display comments as (Linear | Threaded)

Sieht gut aus, vor allem dass serendipity sicher ist liest man gern :-)

Kennst du http://de.wikipedia.org/wiki/Cross-Site_Authentication? Das passt so etwa ins Thema.
#1 Joachim Breitner (Homepage) on 2009-01-14 20:55 (Reply)
Ja, vor einigen Jahren hast Du das auf der GPN präsentiert - da war ich im Raum.
#1.1 Hanno (Homepage) on 2009-01-14 21:01 (Reply)
Möglicherweise habe ich es beim Überfliegen übersehen, aber ich vermisse die Erwähnung des Flags "secure" und u.U. auch noch des Flags "httpOnly" bei Cookies.
#2 Alex (Homepage) on 2009-01-14 23:27 (Reply)
Flag secure wird in der Einführung zu Kapitel 4 erläutert.

httponly wird nur beiläufig bei der Code-Lösung in PHP erwähnt, das hätte man ausführlicher machen können, wobei das ja eher was mit XSS zu tun hat.
#2.1 Hanno (Homepage) on 2009-01-14 23:53 (Reply)
Hi Hanno,

ich hab dich getaggt :-) http://phphacker.net/2009/01/15/the-seven-things-itch/

Cheers,

unset
#3 unset (Homepage) on 2009-01-15 04:44 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

About

This blog is written by Hanno Böck. Unless noted otherwise, its content is licensed as CC0.

You can find my web page with links to my work as a journalist here.

I am also publishing a newsletter about climate change and decarbonization technologies.

The blog uses the free software Serendipity and is hosted at schokokeks.org.

Hanno on Mastodon | Contact / Imprint | Privacy / Datenschutz