Security Musings #1

Session Handling
Session management is far better than it used to be when session hijacking (example) and session fixation were common.
Problems can still be seen if the session management is handled in bespoke manner. A session id has been known to be configured with base64 encoding of parameters.
It is hard to get right manually and hence there are frameworks in place to stop the reinvention of the wheel.
But I have seen some websites that use the same preauth session id for its authenticated session. It is recommended that
Session ID regeneration should be used in Java and ASP.Net to prevent session fixation.
So on the face of it, it would be bad without. However, the session id is usually stored in the cookie, which in itself is a hard to fixate. The alternate way would to include the session ID as part of the URL (e.g. displayHomePage.do;jsessionid=B469usPwntry).
If that is blocked and throws away the session id set that should be sufficient. Furthermore, by hook or crook, additional cookies are set at preauth that change postauth. So your session fixator and session hijacker will need to know this additional information if there are checks for those cookies.

Clickjacking
Clickjacking is a new attack that uses code and transparent layers to trick users into visiting sites that are not exactly advertised in the browser. There is also some theory behind it.

Zero day initiative
Zero day (not to be confused with the finnish movie of the same name) is a computer threat that tries to exploit unknown, undisclosed or patchfree computer application vulnerabilities. Interestingly, you can get paid good money to find and post vulnerabilities with the zero day initiative. ZDNet have a blog called zero day as well. Whilst security researchers, eeye have a good tracker of new zero day attacks.

Web Application Scanners
Here is a very comprehensive evaluation of web vulnerability scanners. It compares Acunetix WVS, IBM Rational Appscan and HP Webinspect.

CESG Certified Products & Services
Here is a comprehensive directory of CCTM (CESG Claims Tested Mark) awards for products and services. Coincidently, here is a list of pen-testing companies according to google. At the time of writing, salaries for CESG-related jobs were rising modestly (unless you were in Checkpoint, which was taking a big knock).

Links

• Browser Security Handbook


• Hacker's audacious to pwn the back market in stolen cards


• Private firm may track email and phone calls


• Police to hack of home PCs


• WPA1 Cracked


• MD5 is officially not good enough