Jedi session tricks
A common attack black hats use against custom authentication front-ends is session fixation. Hackers bank on the fact that developers are not taking into consideration how to adequately protect and sequence their Session IDs. Through social engineering (a simple e-mail or instant message will do) the hacker is able to deliver a URL string with a prepositioned invalid session ID. If this were our testing, we'd certainly want some other traffic to use as a template or knowledge of the application from scans or covert collection, such that we're able to offer a session ID format and length that the application would expect. Improperly configured authentication portals will allow our victims to bring their own session ID (ha! ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access