hacking ASP session state

sla.ckers.org is
ha.ckers sla.cking

Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc....

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

hacking ASP session state

Posted by: bflavor2

Date: March 18, 2010 10:07AM

Hello all,

I'm doing a test against an IIS 6 box with session state enabled. Sessions are tracked completely server side by a url like such:

websitedotcom/(S(1ngoc045sslvlc45tazuhg45))/AppPages/address/changeaddress.aspx

or

websitedotcom//(S(j4nd2sjarzlj5ejved0irh2u))/apppages/changeaddress.aspx

So each time you visit the site, it's a new URL, also the session state tends to change during automated scans. Has anyone ran into this problem? Most automated tools break trying to scan or spider (Acunetix, Paros).

Any ideas on approach?

Edited 1 time(s). Last edit at 03/18/2010 10:16AM by bflavor2.

Options: Reply•Quote

follow-up

Posted by: bflavor2

Date: March 18, 2010 10:09AM

A representative from Acunetix said that version 6.5 does not currently support these features.

Nessus and Paros don't support it well either.

Security through obscurity wins?

Edited 3 time(s). Last edit at 03/18/2010 01:26PM by bflavor2.

Options: Reply•Quote

Re: hacking ASP session state

Posted by: RonPaul

Date: March 18, 2010 09:45PM

mac has been doing it for years ;)

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login