Paul Fierro wrote:
On 03/15/2005 10:50 AM, Paul Bramscher <brams006-OJFnDUYgAso@xxxxxxxxxxxxxxxx>
wrote:
My point was that fully cloning the client puts the hacker into a
position where the server-side manipulations, regardless of what they
are, will be to no avail. You can keep adding more steps, but it's
pointless. The hacker has *become* the client in the server's eyes, so
any manipulations to the session, etc. will be performed to the hacker
identically as for the authenticated user.
Not true if you re-calculate the hash and compare it to the value stored in
the cookie. If the hash contains the browser's User-Agent header, for
example, and the hacker is using a different browser, the hash will not be
the same.
I suggested this earlier (and someone replied that the smart hacker
would merely spoof the client's browser type). There's a plug-in to
Firefox which makes this quite simple. For example:
http://www.chrispederick.com/work/firefox/useragentswitcher/
In fact, that's easier to spoof than IP -- and as others suggested, you
can't always key off of IP if people are coming from
poorly-architectured (IMHO, it's an automatic security risk) ISP's with
dynamic networks.
I'm thinking the name of the game for ueber-security is not so much how
to generate a long key (we're already there), but in attack detection &
resolution.
- Paul Bramscher
Recommend reading:
http://shiflett.org/articles/the-truth-about-sessions
Pay particular attention to the 'Preventing Impersonation' section.
Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: talk-unsubscribe-4zcLI8jJc/rYtjvyW6yDsg@xxxxxxxxxxxxxxxx
For additional commands, e-mail:
talk-help-4zcLI8jJc/rYtjvyW6yDsg@xxxxxxxxxxxxxxxx
.
