Searching for possible ways to get cookie with httpOnly enabled, I cannot find any. But then again, how do browser addons like Firebug, Add 'N Edit Cookie, etc. can get the cookies? Can't an attacker do the same? So my question is, is it really, really impossible to get cookie of httpOnly enabled requests, using javascript? p/s: Yes I'...
What do i do to solve it? Terminal output is: abhi@abhi-desktop:~/Desktop/sslstrip-0.1$ python sslstrip.py --listen=3130 Traceback (most recent call last): File "sslstrip.py", line 254, in main(sys.argv[1:]) File "sslstrip.py", line 246, in main server = ThreadingHTTPServer(('', listenPort), StripProxy) File "/usr/lib/p...
Lately I have seen this in my error log (1 per day, and I have 40k visitors per day): [22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /var/my_files/class.session.php on line 67 [22-Sep-2009 21:13:52] PHP Warning: Unk...
In an ASP.NET web app, using Integrated Windows Authentication, is the session tied to the windows identity? In other words, if I login (using IWA) to the app, and the app stores some "stuff" in my session, is this stuff accessible by session id alone? For instance, if a malicious someone managed to steal my session id, but NOT my creden...
Hi, I'm looking to prevent session hijacking in my ASP.NET application and came across this great post by Jeff Prosise. However, it's from 2004 and I was wondering if there have been any updates that either perform the same thing, or result in any complications? Also, has anyone used this on a production server and, if so, have there ...
While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie. As far as I know, when I start a session by calling session_start(), PHP does not encrypt session id value in a cookie. How do I encrypt session id value and then initialize session with it? ...
I have read an article about session hijacking. please tell me asp.net session is how much secure. can people also do session hijacking with asp.net session. and also tell me how can i prevent my application from session hijacking. if you have any good example than also tell me that how people do it and how i can make my asp.net applicat...
Hi there, I have a php site that lets registered users login (with a valid passord) and sets up a session based on their UserID. However I'm pretty sure thisis being hijacked and I've found "new" files on my server I didn't put there. My site cleans all user input for SQL injections and XSS but this keeps happening. Has anyone got any i...
Our application starts by scraping a web page using WatiN (like Selenium or WatiR) on a server somewhere. Scraping concludes, and I want a real user in another location to take over the session that WatiN started. Because of security on the web site we are accessing, I probably need to have a proxy that holds the html and cookies for res...
Do I have to do anything special to avoid session hijacking using Kohana framework? (Assuming the session is manipulated only with the Kohana Session library) Thanks in advance ...
Hi, I'd like to find out what session ID hijacking protection is built into the current version of ASP.NET. I recently saw this very informative article that explains how session security can be enhanced by implementing an additional layer that encodes the IP address and user agent header into the session id. These details are then ve...
I apologize ahead of time, becuase I'm neither great at explaining things nor flow charts. This is not a specific code problem, but a general question on session security. I'm trying to eliminate as many potential problems as possible at once. I think this takes care of: CSRF Session fixation Session prediction Cookie theft (through b...
Hi, I read a lot about cross-site scripting with Flash, Javascript etc. and also found several lists with websites that have a crossdomain.xml that allows access from any server. For example flickr.com trusts all domains. Can somebody explain me why this seems to be secure and doesn't lead to attacks like session-hijacking? Is it becau...