lavalair session sid and brute force attack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Server sessions are only safe if you know how to protect your site from other malicious attacks that you don't get with the session in the url.
    You cant just change from a session in the url to a Server session and think that it is safer - (its actually much more dangerous if unprotected)
    Last edited by something else; 20.05.15, 00:29.

    Comment


    • wapxtech
      wapxtech commented
      Editing a comment
      cookies is much easier to steal than url session

    #17
    Originally posted by something else View Post
    Server sessions are only safe if you know how to protect your site from other malicious attacks that you don't get with the session in the url.
    You cant just change from a session in the url to a Server session and think that it is safer - (its actually much more dangerous if unprotected)
    Hi.. you mean, like you mentioned in your previous topics that, hackers can make someone LOGOUT by just giving the link? (if we use sessions).. you mean that bro? right.?

    Comment


      #18
      Yes not to mention many other ways from cross site scripting to an uploader session attack - and logging out could be the least of your worries

      Comment


        #19
        wapxtech commented

        cookies is much easier to steal than url session




        I wouldn't say either is easier to steal than the other - The only reason url sessions get stolen more is because people dont know how to edit there own cookies on there web browser (vs editing a url is simple)


        Last edited by something else; 24.05.15, 06:46.

        Comment


          #20
          Originally posted by something else View Post
          wapxtech commented

          cookies is much easier to steal than url session




          I wouldn't say either is easier to steal than the other - The only reason url sessions get stolen more is because people dont know how to edit there own cookies on there web browser (vs editing a url is simple)

          yeah, its much easier to copy and paste the url, BUT if the dev will add some twist in his coding it is much harder for the hacker to execute, for e.g i will use url session "BUT" i will add some random hashes (timestamps would do) that will be saved in the database that will match the url session if it does not match its invalid.. so that if you will do copying and pasting url it will not work. plus matching it with ip/browser if you use other ip/browser your session is invalid.. If you wer a real dev it is easy for you to do that, me my self i can.. btw, im using cookies (more professional and much cleaner urls) in my site bcoz im pretty sure my site is not vulnerable to xss by simply using htmlentities() and htmlspecialchars().

          im telling this to motivate those who are using url sessions and giving them brilliant idea how to improve their security.

          http://wapx.amob.com
          Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!

          Comment


            #21
            I would so love to challenge that your site is secure from all xss attacks - Could be fun but I'm not going down that route





            Comment


              #22
              Sessions creating problem now. Its working fine for me. but for my frends using UC browser are gettn logged out everytime.

              Comment


                #23
                UC Web browser is sh*t - I would not even bother trying to script something to make that web browser work.
                You wont get paid for any UCWeb Traffic - So no point in trying to make your site work for a browser that sucks.
                however if you really want that sh*t browser to work on your site then take down your ip protection and it should work fine >.<

                Comment

                Working...
                X