SAP: Session (Fixation) Attacks and Protections - Black Hat
SAP: Session (Fixation) Attacks and Protections - Black Hat
SAP: Session (Fixation) Attacks and Protections - Black Hat
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
#2 Discovery <strong>and</strong> Exploitation (4)• HTTP behavior:– Once authenticated, HTTPS requires both– HTTP only makes use of JSESSIONID• All resources available through HTTP • JSESSIONID is enough to associate theweb request (HTTP) to an auth session12• Remember, JSESSIONID is not renewed• Discovered on WebLogic Portal version 10.3Even simpler attacks as JSESSIONID is disclosed via HTTPCopyright © 2011 Taddong S.L. www.taddong.com38