The security hidden Trouble analysis _jsp the URL to allow to carry sessionid the programming

Icon:

The figure below is cut from the security report from the test group, and there are a few minor problems with it, which would have been to redraw the 1 and not find the right diagram in Visio. So you can only use other people's pictures.

Description:

Let's take a detailed description of the steps in the previous diagram:

1. Hackers login with their own account, assuming that the login page is: http://www.abc.com/login.jsp

2. Server return login successful.

3. Hackers view their sessionid from cookies, such as 1234

4. Hackers send their own SessionID address to the general user. http://www.abc.com/login.jsp;jsessionid=1234 (different language with SessionID way, is the way of JSP)

5. The user registers with his account in the address of the hacker, and the login is successful.   (This time the user login information will overwrite the hacker before the login information, and 2 people with the same 1 SessionID) 6. Hackers refresh the page, see the account information is the user's information, not before the hacker's own account information.

Prevention and control:   

To prevent this, it is also simple to reset the session (Session.invalidate () method) when the user logs in, and then save the login information to a new session.

Post language:   

You may be like me, just beginning to see this time, to test their own success can not be successful fishing, after my test can be successful, but the test process needs to pay attention to the following issues:

1. Be aware of the language you are using to bring SessionID in the URL. (I started using uppercase Jsessionid in the URL when I tested, causing it to never work)     

2. The action of the http://www.abc.com/login.jsp;jsessionid=1234 page login form is also taken with jsessionid, otherwise it is useless. For this question you might think that if the action of the Login.jsp form is written dead instead of reading the current URL, this phishing problem may not occur. This can only withstand 1 directions. Hackers can do 1 pages that are identical to login.jsp (such as http://www.abc1.com/login.jsp), and then send the address to a client, and the form in this address can be: <form action= " Http://www.abc.com/login.jsp;jsessionid=1234 "....
[Author]:bearrui (AK-47)
[Blog]: http://www.cnblogs.com/BearsTaR/