一个固定的Session攻击通常发生在以下情况:
1.恶意用户访问一个web site,这个JSessionID被保存在浏览器的cookie里面,即便用户并没有登录改网站。这种情况下,他就可以伪造一个带有该JsessionID的URL,并发送给受害者。(例如, http://example.com/login?JESSIONID=qwerty)
2.受害者点这个带有jsessionid的URL,提示输入验证信息之后就登陆系统。
3.攻击者现在使用这个带jsessionid的链接,以受害者的身份登陆进系统了。
It is trivial for the attacker to add a jsessionid in the URL as well as to send it in the header using a malicious form. (For a full description of session fixation attacks, read the whitepaper "Session Fixation Vulnerability in Web-based Applications " from Acros Security.)
The solution implemented by the Tomcat team is a patch that changes the jsessionid after authentication. This patch has been applied to Tomcat 7 and has also been backported to Tomcat 5 and 6 with some differences.
According to Mark Thomas , the results of this patch in Tomcat 7 are:
- Tomcat is not vulnerable by default because the session ID changes upon authentication.
- If this default is changed by the user (e.g. because the application can't handle a changing session ID), then the risks may be minimized by disabling session tracking via URL (a new feature in Servlet 3).
And in Tomcat 5 and 6, the results of the patch are:
- Session fixation attacks can be prevented by enabling Tomcat to change the session ID on authentication (if there is insufficient support for this to be enabled by default).
- If the application can't handle a changing session ID then the risks may be minimized by writing a custom filter that checks
request.isRequestedSessionIdFromURL()and responds accordingly (e.g. rejecting the request).
The above changes work transparently behind the scenes; the developer does not have to do anything. The users session (jsessionid) is changed after login. This completely prevents session fixation attacks
839
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
