Contnuation of the previous posting..
My apologies for the abrupt ending of my previous post. Something important came up due to which I had to end it abruptly.
Session hijacking is generally crafted using the following methodologies:
1. Request-Response Sniffing
2. Cross site scripting
Well, the first one can be prevented when the whole session is handled through https. However, if part of the session is handled through http and is switched over to https, then the sniffer would be able to pick up the session id transferred in the http session. To avoid this Pramati Server uses a special cookie in addition to the sessionid cookie. This pair is validated when trying to access the https pages. As the second cookie is set via https, the sniffer would not be able to view it easily. When the sniffer/hijacker sends a https session without the secret cookie, the server would understand that this is not from the authenticated user and hence will deny the response.
Regarding second, you should check if the server is immune to XSS (cross site scripting) vulnerabilities.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment