Is it possible to hack someone's session variables and create a new shadow user?
是否有可能破解某人的会话变量并创建一个新的影子用户?
What are the common ways of avoiding such surprizes?
避免这种过度刺激的常见方法有哪些?
SSL certificate installation or ....?
SSL证书安装还是......?
2 个解决方案
#1
Short answer... it depends.
简短回答......这取决于。
Session in ASP.NET can be stored in a variety of ways (InProc / SQL Server / State Server) etc... another thing to note is how the client session is maintained (query string value, cookies etc...)
ASP.NET中的会话可以以多种方式存储(InProc / SQL Server / State Server)等...另外需要注意的是如何维护客户端会话(查询字符串值,cookie等...)
As the poster in this answer suggests
正如这个答案中的海报所示
Can we hack a site that just stores the username as a session variable?
我们可以破解只将用户名存储为会话变量的网站吗?
One thing you could do when you authenticate the user and store their name in Session, would be to also store some other information about them. e.g. Their UserAgentString, their IP Address and if a different IP or UserAgentString attempted to interact with the session, you could invalidate it.
在对Session进行身份验证并将其名称存储在Session中时,您可以做的一件事就是存储一些有关它们的其他信息。例如他们的UserAgentString,他们的IP地址以及如果不同的IP或UserAgentString尝试与会话交互,您可以使其无效。
#2
Anything is possible, however by default it's hard.
一切皆有可能,但默认情况下很难。
Generally you hijack a session by stealing the session cookie and recreating it on another machine. However in order to do this the web site must be vulnerable to Cross Site Scripting (which you can mitigate against with Server.HtmlEncode when you echo user input back). If if you do end up vulnerable the ASP.NET session cookie is marked as HTTP Only, which means, if a browser supports it, it is not accessible to access from client side scripts (although Safari ignores this setting).
通常,您通过窃取会话cookie并在另一台计算机上重新创建会话来劫持会话。但是,为了做到这一点,网站必须容易受到跨站脚本攻击(当您回显用户输入时,可以使用Server.HtmlEncode来缓解该站点脚本)。如果最终易受攻击,则ASP.NET会话cookie被标记为仅HTTP,这意味着,如果浏览器支持它,则无法从客户端脚本访问它(尽管Safari忽略此设置)。
#1
Short answer... it depends.
简短回答......这取决于。
Session in ASP.NET can be stored in a variety of ways (InProc / SQL Server / State Server) etc... another thing to note is how the client session is maintained (query string value, cookies etc...)
ASP.NET中的会话可以以多种方式存储(InProc / SQL Server / State Server)等...另外需要注意的是如何维护客户端会话(查询字符串值,cookie等...)
As the poster in this answer suggests
正如这个答案中的海报所示
Can we hack a site that just stores the username as a session variable?
我们可以破解只将用户名存储为会话变量的网站吗?
One thing you could do when you authenticate the user and store their name in Session, would be to also store some other information about them. e.g. Their UserAgentString, their IP Address and if a different IP or UserAgentString attempted to interact with the session, you could invalidate it.
在对Session进行身份验证并将其名称存储在Session中时,您可以做的一件事就是存储一些有关它们的其他信息。例如他们的UserAgentString,他们的IP地址以及如果不同的IP或UserAgentString尝试与会话交互,您可以使其无效。
#2
Anything is possible, however by default it's hard.
一切皆有可能,但默认情况下很难。
Generally you hijack a session by stealing the session cookie and recreating it on another machine. However in order to do this the web site must be vulnerable to Cross Site Scripting (which you can mitigate against with Server.HtmlEncode when you echo user input back). If if you do end up vulnerable the ASP.NET session cookie is marked as HTTP Only, which means, if a browser supports it, it is not accessible to access from client side scripts (although Safari ignores this setting).
通常,您通过窃取会话cookie并在另一台计算机上重新创建会话来劫持会话。但是,为了做到这一点,网站必须容易受到跨站脚本攻击(当您回显用户输入时,可以使用Server.HtmlEncode来缓解该站点脚本)。如果最终易受攻击,则ASP.NET会话cookie被标记为仅HTTP,这意味着,如果浏览器支持它,则无法从客户端脚本访问它(尽管Safari忽略此设置)。