Chris Shiflett's Gravatar Chris Shiflett's Profile

About Me:

Last 10 Comments

1

Thanks for the kind words, Simon.

I'm glad you liked the tutorial. In case it's helpful, here's a link to the slides on SlideShare:

http://slideshare.net/shiflett/evol...of-web-security

Thanks again, and I agree with everything you said about Webstock. People love things that are made with love. :-)

Posted in /blog/2010/feb/webstock.

Fri, 05 Mar 2010 at 11:55:02: Link


2

Hi Robin,

I plan to post something about it, but it's going to be hard to express everything in writing.

The short summary is Webstock is the best conference I've ever been to, and I've been to a lot of conferences.

More soon, I hope!

Posted in /blog/2010/feb/webstock.

Fri, 05 Mar 2010 at 11:49:53: Link


3

Interesting find, Morten.

I really wish fewer sites tries to sweep this sort of thing under the rug; there's a lot that we could learn if they were more open about the security problems they encounter. I'm glad you wrote about it; I'll have a read.

Posted in /blog/2009/nov/facebook-myspace-and-crossdomain.xml.

Thu, 11 Feb 2010 at 20:36:04: Link


4

Thanks, John. Friendly and trustworthy are high compliments. Much appreciated. :-)

Sorry about the OpenID implementation, Stelian. I'm busy right now with Analog, so fixing that's not a priority, but I do plan to fix it pretty soon. I'll try to also add a way for people to claim old comments when I do, or I can at least do it manually for you.

I love Arsenal's style, Radoslav, and it was super fun to be able to see a match. I don't own a TV, and I rarely get the chance to see them play at all, so it was a real treat to see them in person. That was my first (and so far, only) Premiership match.

Thanks for commenting. :-)

Posted in /blog/2010/jan/2009-highlights.

Sat, 16 Jan 2010 at 18:42:04: Link


5

Hi Jhon,

I'm using a simple technique I describe in another post:

Allowing HTML and Preventing XSS

Hope that helps!

Posted in /blog/2005/jan/xss-cheatsheet.

Thu, 14 Jan 2010 at 21:38:34: Link


6

Hi again, mh,

I see what you're thinking now. Creating a fingerprint isn't very useful if you're just going to use it to make sure some HTTP headers remain consistent. For that, you can simply compare those values, and there's no reason to use md5() or salting at all.

This technique, which is valid but a little outdated, is to create a fingerprint that is stored on both the client and the server. It is passed using a different method of propagation than the cookie, so that even if the cookie and all HTTP headers are captured by an attacker, they cannot be replayed to hijack the session. Something extra is needed.

The real purpose of the article is to help you understand how sessions work, what some of the potential weaknesses are, and how you can enhance it slightly to complicate some of the more common attacks.

I'm more fond of trending these days, where you record trends in a particular user's requests and use that to detect anomalies in behavior. If you get the balance right, session hijacking becomes very difficult, and legitimate users aren't constantly being prompted for their password.

Hope this helps.

Posted in /articles/the-truth-about-sessions.

Thu, 14 Jan 2010 at 21:29:23: Link


7

Scott, I've been funemployed for a little more than five months now, but I hope to make some money pretty soon. What was your final score?

I may have to resort to winning on a technicality. I'm a founding member of Analog and not technically employed. :-)

Posted in /blog/2009/dec/hello-analog.

Sun, 03 Jan 2010 at 11:57:57: Link


8

Thanks for the comment, Dan. With members from both the US and the UK, forming as a co-operative was a complex and tedious endeavor. If it wasn't so important to us, it would have been difficult to persevere. I'm glad we did, and I'm glad people like you understand why it's so important. Thanks! :-)

John, I know some great bars in Brooklyn. I may take you up on that offer. Thanks. :-)

LP, thanks for the vote of confidence. I'm looking forward to Montréal; see you there!

Posted in /blog/2009/dec/hello-analog.

Sun, 03 Jan 2010 at 10:49:42: Link


9

mh wrote:

In your article, you mix up where the session data is stored.

No, but it seems you are.

The point of having a fingerprint in addition to the session identifier is not just a means of forcing the attacker to reproduce the HTTP headers, although that is somewhat helpful. Over the years, most attacks that have been used to steal cookies also allow access to the HTTP headers, because they involve the victim visiting the attacker's site. Having something else makes session hijacking more difficult.

This article needs updating, because I prefer other techniques now (trending, for example), but the theory is sound, and it teaches valuable lessons.

Hope that helps.

Posted in /articles/the-truth-about-sessions.

Sun, 03 Jan 2010 at 10:35:09: Link


10

Thanks so much for your support, Ben. :-) Hope you have a fantastic 2010.

Thanks to you, too, Himlal. We could use some good luck!

Posted in /blog/2009/dec/hello-analog.

Fri, 01 Jan 2010 at 11:50:00: Link


Stats

  • Member Since: 07 Sep 2004
  • Comments: 687

Web Site

shiflett.org

Blog Posts


Work and Books

Analog Essential PHP Security HTTP Developer's Handbook