HTTPS是开放网络中唯一防御会话劫持的防御？ [英] Is HTTPS the only defense against Session Hijacking in an open network?

问题描述

所以，通过 Firesheep ，公共Wi-Fi中的每个人现在都有一键式会话劫持工具。 / p>

根据我的理解，它的工作方式是简单地捕获所有流量并抓住会话cookie（因此不会窃取密码）。

从我的理解，这也意味着HTTPS安全登录不能单独解决这个问题，因为进一步的HTTP流量将会再次以明文形式包含会话Cookie。

将会话绑定到特定的IP地址是无用的，由于NAT，并将其绑定到用户代理很容易欺骗。

那么100％的HTTPS总是防止这种类型的会话劫持的唯一方法？人们不能只是嗅探整个HTTPS流量，包括握手，还是这个东西安全吗？ （我正在考虑重播攻击，但在这方面没有任何知识。）

当然，不使用公共/开放的Wi-Fi网络是更好的选择，但是我仍然对网站开发人员可以做些什么来保护他/她的用户感兴趣。

解决方案

Firesheep是新即可。只要Web应用程序一直使用会话ID，会话劫持就一直存在。通常，黑客通过在地址栏中输入cookie来设置自己的cookie： javascript：document.cookie ='SOME_COOKIE'。这个工具适用于脚本小孩，怕一行JavaScript。

如果您在会话的整个生命周期中不使用HTTPS，Cookie可能被劫持，这是 OWASP A9 - 传输层保护不足。但您也可以劫持与XSS的会话。

1）使用 httponly cookies 。

2）使用安全Cookie （可怕的名称，但它是一个标志，强制浏览器使cookie仅HTTPS 。）

3）扫描XSS的网络应用程序。

还不要忘记 CSRF ！ （哪个Firesheep没有解决。）

So with Firesheep, everyone in a public Wi-Fi now has a one-click session hijack tool.

The way it works - to my understanding - is that it simply captures all traffic and grabs the session cookie (so it doesn't steal passwords).

From my understanding, this also means that a HTTPS secured login does not solve this alone, as further HTTP traffic would include the Session Cookie in clear text again.

Tying the session to a specific IP address is useless thanks to NAT, and tying it to the user agent is easy to spoof.

So is 100% HTTPS at all times the only way to prevent this type of session hijacking? Couldn't people simply sniff the entire HTTPS Traffic including the handshake, or is this stuff safe? (I'm thinking of replay attacks, but have no knowledge in that area.)

Of course, not using public/open Wi-Fi Networks is the better choice, but I'm still interested what a website developer can do to protect his/her users.

解决方案

Firesheep is nothing new. Session hijacking has been around for as long as web applications have been using Session IDs. Usually hackers just set their own cookie by typing this into the address bar: javascript:document.cookie='SOME_COOKIE'. This tool is for script kiddies that fear 1 line of JavaScript.

Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is a part of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.

1) Use httponly cookies.

2) Use "secure cookies" (Horrible name, but it's a flag that forces the browser to make the cookie HTTPS only.)

3) Scan your web application for XSS.

Also don't forget about CSRF! (Which Firesheep doesn't address.)

这篇关于HTTPS是开放网络中唯一防御会话劫持的防御？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！