EP012

Episode 12 – More Common Web Vulnerabilities

Music provided by: Denis Kreynin https://soundcloud.com/denis-kreynin

Sessions make it so you don’t have to enter your username and password each link you go to on the same website. When you log into a website, a session ID is given back to your browser, and that is used as a way to track you through the website’s use.

– Example – online shopping for Christmas -> fill cart ->login to buy -> enter CC#

 

Parameter manipulation

Session hijacking

– clear text session ID (encrypt session ID at all times)

– predictable session IDs (make very random)

– attacker initiated phishing – session fixation (tie session to IP _or_ change session ID after authentication)

Cross site request forgery

References:

Parameter tampering – https://www.owasp.org/index.php/Web_Parameter_Tampering

CSRF – https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Microsoft Tiff image vulnerability – https://technet.microsoft.com/en-us/security/bulletin/ms13-096

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.