This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking"
From OWASP
(Created page with "== Cookie Theft/Session Hijacking == === Root Cause Summary === It's possible for an attacker to steal and abuse session identifiers when these are stored in cookies. === Br...") |
James Landis (talk | contribs) m |
||
Line 1: | Line 1: | ||
+ | [[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]] | ||
+ | |||
== Cookie Theft/Session Hijacking == | == Cookie Theft/Session Hijacking == | ||
Revision as of 18:00, 14 May 2013
Return to Periodic Table Working View
Cookie Theft/Session Hijacking
Root Cause Summary
It's possible for an attacker to steal and abuse session identifiers when these are stored in cookies.
Browser / Standards Solution
None
Perimeter Solution
- Make sure that all session identifiers are transmitted over an encrypted protocol.
- Terminate/regenerate session if the session token is transmitted insecurely.
- Enforce the Secure and HttpOnly flags on cookies using a Web Application Firewall.
Complexity: Low
Impact: High
Generic Framework Solution
- force Secure and HttpOnly flags for all cookies.
- Make sure that the Domain and Path are set correctly
- Alert user and deauthorize oldest session when multiple simultaneous logins are detected.
- Terminate session if User-Agent string or other client fingerprinting changes.
Complexity: Medium
Impact: High
Custom Framework Solution
None
Custom Code Solution
None