AppSec Blog: Tag - Session

Session Attacks and PHP - Part 2

Yes, I will talk in this article about why it is not good to leave your session files in /tmp. But first, allow me to follow Jason's lead and talk about the session attacks he discussed in Part 2 of his ASP.NET article. I will keep it short Session fixation isn't really that much of … Continue reading Session Attacks and PHP - Part 2


Session Attacks and ASP.NET - Part 2

In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET's session architecture and authentication architecture. In this post, I'll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures. Attack Scenario: ASP.NET Session with Forms Authentication So understanding the … Continue reading Session Attacks and ASP.NET - Part 2


Session Attacks and ASP.NET - Part 1

I've spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven't looked at 4.0 beta yet). Before illustrating how a specific attack works with some specific countermeasures for ASP.NET (in … Continue reading Session Attacks and ASP.NET - Part 1