Was running a penetration scan against our A4D website, and one of the warnings
pertained to predictable session ID's. From the A4D docs, I found the following:
- The 32-bit internal session ID is mixed with random data and encrypted to
generate a
16-character cookie string.
- The encryption key is randomly selected each time the 4D is restarted.
This sounds pretty good. Is this warning below just a blanket statement made
to any website using sessions?
Thanks!
Jason
Many Web sites support the idea of user sessions. Each user connecting to the
site is issued a unique session ID, which is then used to identify all
subsequent requests made by that user, either encoded in the URLs, or as a
cookie. The server can then store data for each user session such as the state
of a Web shopping cart. Session IDs are also often used to control access to
sites requiring a login. Instead of sending the username/password with every
request, the site issues a session ID after the user logs on, and the session
ID identifies the user for the rest of the session.
With some server session management systems, it's possible for a user, who can
connect to the server and get a session ID, to guess other users' session IDs.
If successful, the attacker can then view any page, take any action, post to
any form etc. as the real user of that session.
This attack requires no IP spoofing or session snooping. It works against sites
using SSL.
The following links provide more information about this vulnerability:
[ Netcraft Security Advisory 2001-01.1 - Predictable Session IDs ](
http://news.netcraft.com/archives/2003/01/01/security_advisory_2001011_predictable_session_ids.html
)
[ Cookie Encyclopedia - Predictable Session IDs ](
http://www.pdos.lcs.mit.edu/cookies/seq_sessionid.html )
[ Brute-Force Exploitation of Web Application Session IDs ](
http://www.cgisecurity.com/lib/SessionIDs.pdf )
_______________________________________________
Active4D-dev mailing list
[email protected]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
