Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
hacking ASP session state
Posted by: bflavor2
Date: March 18, 2010 10:07AM

Hello all,

I'm doing a test against an IIS 6 box with session state enabled. Sessions are tracked completely server side by a url like such:

websitedotcom/(S(1ngoc045sslvlc45tazuhg45))/AppPages/address/changeaddress.aspx

or

websitedotcom//(S(j4nd2sjarzlj5ejved0irh2u))/apppages/changeaddress.aspx

So each time you visit the site, it's a new URL, also the session state tends to change during automated scans. Has anyone ran into this problem? Most automated tools break trying to scan or spider (Acunetix, Paros).


Any ideas on approach?



Edited 1 time(s). Last edit at 03/18/2010 10:16AM by bflavor2.

Options: ReplyQuote
follow-up
Posted by: bflavor2
Date: March 18, 2010 10:09AM

A representative from Acunetix said that version 6.5 does not currently support these features.

Nessus and Paros don't support it well either.

Security through obscurity wins?



Edited 3 time(s). Last edit at 03/18/2010 01:26PM by bflavor2.

Options: ReplyQuote
Re: hacking ASP session state
Posted by: RonPaul
Date: March 18, 2010 09:45PM

mac has been doing it for years ;)

Options: ReplyQuote


Sorry, only registered users may post in this forum.