Friday, December 18, 2009

URL Session Tokens Easily Compromised (12 Robots - Jason Dean Blog)

I have said on several occasions that catering to users who insist on disabling cookies is a bad idea. I have blogged a couple times on the reasons.

So why am I suddenly bringing this topic up again? Well I recently read (I cannot recall where, it was probably on the OWASP site) about a way that session tokens in URLs can be easily compromised. I am a little embarrassed that I never realized that this vulnerability existed before. It is pretty simple.

The vulnerability in this case is the web browser's behavior of sending a CGI variable called REFERER or HTTP_REFERER onto the page that the request was directed from. So if I click on a link on index.cfm that takes me to test.cfm then in the CGI scope of test.cfm will be a variable called HTTP_REFERER.

This is a great post explaining some of the mechanics of fishing and how session tokens in the URL can be very dangerous. I still don't understand the problem of cookies these days. If you use session tokens or are considering it, this excellent post by Jason Dean is worth the read.

No comments:

Post a Comment