HTTPS 是开放网络中唯一防御会话劫持的方法吗? [英] Is HTTPS the only defense against Session Hijacking in an open network?
问题描述
因此,有了 Firesheep,公共 Wi-Fi 中的每个人现在都拥有一键式会话劫持工具.
So with Firesheep, everyone in a public Wi-Fi now has a one-click session hijack tool.
据我所知,它的工作方式是简单地捕获所有流量并获取会话 cookie(因此它不会窃取密码).
The way it works - to my understanding - is that it simply captures all traffic and grabs the session cookie (so it doesn't steal passwords).
据我所知,这也意味着 HTTPS 安全登录并不能单独解决这个问题,因为进一步的 HTTP 流量将再次包含明文形式的会话 Cookie.
From my understanding, this also means that a HTTPS secured login does not solve this alone, as further HTTP traffic would include the Session Cookie in clear text again.
由于 NAT,将会话绑定到特定 IP 地址是没有用的,而将其绑定到用户代理很容易被欺骗.
Tying the session to a specific IP address is useless thanks to NAT, and tying it to the user agent is easy to spoof.
那么 100% HTTPS 始终是防止此类会话劫持的唯一方法吗?人们不能简单地嗅探包括握手在内的整个 HTTPS 流量,还是这些东西安全?(我正在考虑重放攻击,但不了解该领域.)
So is 100% HTTPS at all times the only way to prevent this type of session hijacking? Couldn't people simply sniff the entire HTTPS Traffic including the handshake, or is this stuff safe? (I'm thinking of replay attacks, but have no knowledge in that area.)
当然,不使用公共/开放的 Wi-Fi 网络是更好的选择,但我仍然对网站开发人员可以做些什么来保护他/她的用户感兴趣.
Of course, not using public/open Wi-Fi Networks is the better choice, but I'm still interested what a website developer can do to protect his/her users.
推荐答案
Firesheep 没什么新鲜的.只要 Web 应用程序使用会话 ID,会话劫持就已经存在.通常黑客只需在地址栏中输入以下内容来设置自己的 cookie:javascript:document.cookie='SOME_COOKIE'.这个工具是为害怕 1 行 JavaScript 的脚本小子准备的.
Firesheep is nothing new. Session hijacking has been around for as long as web applications have been using Session IDs. Usually hackers just set their own cookie by typing this into the address bar: javascript:document.cookie='SOME_COOKIE'. This tool is for script kiddies that fear 1 line of JavaScript.
如果您在整个会话期间不使用 HTTPS,则 Cookie 可能会被劫持,这是 OWASP A9 - 传输层保护不足.但是你也可以用 XSS 劫持一个会话.
Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is a part of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.
1) 使用 httponly cookie.
2) 使用安全cookies"(可怕的名字,但它是一个强制浏览器使 cookie 仅 HTTPS.)
2) Use "secure cookies" (Horrible name, but it's a flag that forces the browser to make the cookie HTTPS only.)
3) 扫描您的 Web 应用程序是否存在 XSS.
3) Scan your web application for XSS.
另外不要忘记 CSRF!(Firesheep 没有解决这个问题.)
Also don't forget about CSRF! (Which Firesheep doesn't address.)
这篇关于HTTPS 是开放网络中唯一防御会话劫持的方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
