Tuesday, October 2, 2007

Sessionn ID Manipulation?????

So today is the last day for Phase 1 for my application penetest. Well, its always funny because its always during the last day that i will find something. In my previous posts, i was saying that the application is very secure. However, i found some session IDs manipulation that allows an attacker to impersonate someone. Well although its not high risk, but think of this situation. Lets say you and your friend is at a school compound or somewhere with network access and suddenly your friend is checking his account. With the mindset of a hacker, you know that by manipulating the session ID will allow you to gain access to his account, while he says that he wants to go to the toilet and forgets to logout, you quickly grab his session id and then change his password. From there on, you can monitor his account's transaction and status and moreover you can transfer money to your own account. I mean there is too many possibility. This is just one of the scenarios. You can let your imagination run wild and can come up with more evil stuff. However i just want to point out that since that application is already so secure, why not take another step to tighten this hole? Agree?????

The Hacka Man

9 comments:

Foo said...

So the application allows you to change the password without having to enter the old one?

Anonymous said...

The application allows me to change the password without entering the old one.

Hackathology

mitmwatcher said...

Hi
Here is good paper on similar issue hope this will be helpful for your attack;)

http://www.it-observer.com/pdf/dl/concepts_against_mitb_attacks.pdf

Mitmwatcher

Anonymous said...

hey mitmwatcher, thank you for that paper. I need that to prove to the damn customer. They take it lightly.

hackathology

Adi said...

Oes Tsetnoc one of the ways in which we can learn seo besides Mengembalikan Jati Diri Bangsa. By participating in the Oes Tsetnoc or Mengembalikan Jati Diri Bangsa we can improve our seo skills. To find more information about Oest Tsetnoc please visit my Oes Tsetnoc pages. And to find more information about Mengembalikan Jati Diri Bangsa please visit my Mengembalikan Jati Diri Bangsa pages. Thank you So much.
Oes Tsetnoc | Semangat Mengembalikan Jati Diri Bangsa

Anonymous said...

What a great resource!

gaohui said...

The holidays are a time ed hardy of getting together with friends ed hardy shoes and family, attending elaborate ed hardy clothing parties, and other exciting events ed hardy clothes that involves dressing up in stunning ed hardy store wardrobes. If you ed hardy Bikini are pregnant during ed hardy swimsuits the holidays, it does not ed hardy Caps mean that you are unable buy ed hardy to look fabulous and ed hardy swimwear stylish. Now, an expectant ed hardy sale mother has many styles of chic ed hardy glasses maternity clothing that allows cheap ed hardy her to show off her baby bump Christian audigier while looking spectacular.

chunxue said...

During the World War II, Art Deco jewellery was ugg sale a very popular style among women. The females started ugg boots wearing short dresses and cut their hair short. And uggs such boyish style was accessorized with Art Deco jewellery. They used cheap ugg boots long dangling earrings and necklaces, multiple bracelets and bold ugg boots uk rings.Art Deco jewellery has harshly geometric and symmetrical theme instead disocunt ugg boots of free flowing curves and naturalistic motifs. Art Deco Jewelry buy ugg boots today displays designs that consist of arcs, circles, rectangles, squares, and ugg outlet triangles. Bracelets, earrings, necklaces and rings are added with long ugg boots outlet lines and curves.One example of Art Deco jewelry is the Art Deco ring. Art Deco rings have ugg mall sophisticated sparkle and bold styles. These rings are not intended for a subtle look, they are meant to be noticed. Hence, these are perfect for people with bold styles.

pharmacy said...

It is pretty impress the people can do something like to hide behind another person ID.