-- James A. Donald wrote: > > Adversary accesses web site as if about to log in, > > gets a session ID. Then supplies false information > > to someone else's browser, causes that browser on > > some one else's computer to use that session ID. > > Someone else logs in with hacker's session ID, and > > now the adversary is logged in.
Michael Cordover > Question: how does one convince the victim's browser > to use the malicious ID? Assuming we can intercept and modify cleartext, no problem. There are also several other ways that do not require such man in the middle attack, For example, the adversary might represent himself as selling some item for egold. The victim clicks on the egold link on the adversary's web page, but it is a session fixation link which looks something like this. <a href="http://e-gold/index.php?PHPSESSID=64383-34324-9874 37"> As a result, when the victim logs in to egold, logs in to the genuine e-gold. not a phishing site, he logs the adversary in. Adversary then drains all of user's account. (Assuming that e-gold is vulnerable to session fixation.) --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG /xB6pMv9fT1fIGlyhzRyAjdO+X1POcedv7maASR+ 4rXw3i2fw8a6eXIV31Rc11GLSM+BsAqwdlNX3AVVO --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]