|
|
一个固定的Session攻击通常发生在以下情况:
1.恶意用户访问一个web site,这个JSessionID被保存在浏览器的cookie里面,即便用户并没有登录改网站。这种情况下,他就可以伪造一个带有该JsessionID的URL,并发送给受害者。(例如, http://example.com/login?JESSIONID=qwerty)
2.受害者点这个带有jsessionid的URL,提示输入验证信息之后就登陆系统。
3.攻击者现在使用这个带jsessionid的链接,以受害者的身份登陆进系统了。
Itis trivial for the attacker to add a jsessionid in the URL as well asto send it in the header using a malicious form. (For a fulldescription of session fixation attacks, read the whitepaper "Session Fixation Vulnerability in Web-based Applications" from Acros Security.)
Thesolution implemented by the Tomcat team is a patch that changes thejsessionid after authentication. This patch has been applied to Tomcat7 and has also been backported to Tomcat 5 and 6 with some differences.
According to Mark Thomas, the results of this patch in Tomcat 7 are:
- Tomcat is not vulnerable by default because the session ID changes upon authentication.
- Ifthis default is changed by the user (e.g. because the application can'thandle a changing session ID), then the risks may be minimized bydisabling session tracking via URL (a new feature in Servlet 3).
And in Tomcat 5 and 6, the results of the patch are:
- Sessionfixation attacks can be prevented by enabling Tomcat to change thesession ID on authentication (if there is insufficient support for thisto be enabled by default).
- If the application can't handle a changing session ID then the risks may be minimized by writing a custom filter that checks request.isRequestedSessionIdFromURL()and responds accordingly (e.g. rejecting the request).
Theabove changes work transparently behind the scenes; the developer doesnot have to do anything. The users session (jsessionid) is changedafter login. This completely prevents session fixation attacks |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2017-2-7 10:30:57
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡