This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking

From OWASP
Revision as of 03:48, 14 May 2013 by Peter Mosmans (talk | contribs) (Created page with "== Cookie Theft/Session Hijacking == === Root Cause Summary === It's possible for an attacker to steal and abuse session identifiers when these are stored in cookies. === Br...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Cookie Theft/Session Hijacking

Root Cause Summary

It's possible for an attacker to steal and abuse session identifiers when these are stored in cookies.

Browser / Standards Solution

None

Perimeter Solution

  • Make sure that all session identifiers are transmitted over an encrypted protocol.
  • Terminate/regenerate session if the session token is transmitted insecurely.
  • Enforce the Secure and HttpOnly flags on cookies using a Web Application Firewall.

Complexity: Low
Impact: High

Generic Framework Solution

  • force Secure and HttpOnly flags for all cookies.
  • Make sure that the Domain and Path are set correctly
  • Alert user and deauthorize oldest session when multiple simultaneous logins are detected.
  • Terminate session if User-Agent string or other client fingerprinting changes.

Complexity: Medium
Impact: High

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

References

Session Management Cheat Sheet (OWASP)

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Cookie_Theft/Session_Hijacking&oldid=151524"