Hold Your Sessions: An Attack on Java Session-Id Generation
نویسندگان
چکیده
HTTP session-id’s take an important role in almost any web site today. This paper presents a cryptanalysis of Java Servlet 128-bit session-id’s and an efficient practical prediction algorithm. Using this attack an adversary may impersonate a legitimate client. Through the analysis we also present a novel, general space-time tradeoff for secure pseudo random number generator attacks.
منابع مشابه
Session Fixation Vulnerability in Web-based Applications
Many web-based applications employ some kind of session management to create a user-friendly environment. Sessions are stored on server and associated with respective users by session identifiers (IDs). Naturally, session IDs present an attractive target for attackers, who, by obtaining them, effectively hijack users’ identities. Knowing that, web servers are employing techniques for protecting...
متن کاملIJSRD - International Journal for Scientific Research & Development| Vol. 2, Issue 12, 2015 | ISSN (online): 2321-0613
Session Hijacking is the process of accessing the session by stealing session ID or Cookies. In session hijacking attack, unauthorized person can impersonate one of the sessions of a victim and takes control over it like a legitimate user. It is a one of the most dangerous attack performed on transactions done over a network like Ecommerce, which handles the confidential or sensitive informatio...
متن کاملDistributed and Persistent PHP Sessions
Quercus, Caucho Technology’s 100% Java implementation of PHP, now offers distributed and persistent session management for PHP developers. This technology is built on the solid foundation of Resin, Caucho’s proven, high-performance application server. Quercus’s session management implementation maintains compatibility with existing applications while at the same time seamlessly adding the abili...
متن کاملSession Fixation - The Forgotten Vulnerability?
The term ‘Session Fixation vulnerability’ subsumes issues inWeb applications that under certain circumstances enable the adversary to perform a session hijacking attack through controlling the victim’s session identifier value. We explore this vulnerability pattern. First, we give an analysis of the root causes and document existing attack vectors. Then we take steps to assess the current attac...
متن کاملLanguage and Runtime Implementation of Sessions for Java
The purpose of this work is to incorporate the principles of session types into a concrete object-oriented language, specifically an extension of Java, as a basis for communications-based programming for distributed environments. Building on preceding theoretical studies of this topic, we present the first practical implementation of such a language, including a treatment of asynchronous commun...
متن کامل