The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Obtain a session token as a completely anonymous user, and then walk

Download 5,76 Mb.

Pdf ko'rish

bet	776/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 772 773 774 775 776 777 778 779 ... 875

Bog'liq
3794 1008 4334

Preventing Session Fixation Vulnerabilities

Obtain a session token as a completely anonymous user, and then walk

through the process of submitting sensitive data, up until any page at

which the sensitive data is displayed back.

■

If the same token originally obtained can now be used to retrieve the

sensitive data, then the application is vulnerable to session fixation.

■

If any type of session fixation is identified, verify whether the server

accepts arbitrary tokens it has not previously issued. If so, the vulnerabil-

ity is considerably easier to exploit over an extended period.

Preventing Session Fixation Vulnerabilities

At any point at which a user interacting with the application transitions from

being anonymous to being identified, the application should issue a fresh session

70779c12.qxd:WileyRed 9/14/07 3:14 PM Page 453

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 772 773 774 775 776 777 778 779 ... 875