SAP: Session (Fixation) Attacks and Protections - Black Hat
SAP: Session (Fixation) Attacks and Protections - Black Hat
SAP: Session (Fixation) Attacks and Protections - Black Hat
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
#2 Discovery <strong>and</strong> Exploitation (3)• All links from “www” to “portal” are HTTPS– But HTTP is also allowed in “portal”• What is used for session ID verification whenaccessing “authenticated resources”?– Common sense: both cookies (! in reality)• HTTPS behavior:1. Both cookies: OKMissing orexpired2. JSESSIONID bad: redirect to login & renewed3. AUTH_JSESSIONID bad: 401 Basic?Copyright © 2011 Taddong S.L. www.taddong.com37