如何避免在burpsuite中查看Cookie ASP.NET _SessionId值 [英] How to avoid Viewing Cookie ASP.NET _SessionId value in burpsuite

问题描述

我想避免查看Cookie ASP.NET _SessionId值.我们的测试人员团队正在与另一个用户一起改变价值，并在Burp Suite中进行中间攻击.
为此，我可以使用Asp.net Web窗体应用程序.还可以使用身份验证令牌逻辑，但是该令牌在Burp Suite中也是可见的并且可以更改.

I want to avoid viewing Cookie ASP.NET _SessionId value . Our Tester team is changing the value with another user and doing Man in middle attack in Burp Suite.
Any sokution for this.I am using Asp.net Web form application.Also I used Authentication token logic but that token is also visible and able to change in Burp Suite.

推荐答案

因此，他们正在将会话ID更改为通过与另一位用户成功进行身份验证而获得的会话ID，这是什么问题?

如果他们两个用户都有有效的用户名和密码，则更改会话ID并不表示他们入侵了任何东西.

为什么说这是中级攻击的人?
他们实际上应该做什么，这是他们不应该做的? (知道他们两个用户都有有效的用户名和密码)

So they''re changing the session id to another one that they got by successfully authenticating with another user... so what''s the issue?

If they have valid username and passwords for both users, changing the session id doesn''t mean that they hacked anything.

Why do you say this is a man in the middle attack?
What can they actually do that they weren''t supposed to? (knowing that they have valid username and password for both users)

这篇关于如何避免在burpsuite中查看Cookie ASP.NET _SessionId值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！