Solved

Coldfusion - Session Hijacking

Posted on 2010-11-26
2
370 Views
Last Modified: 2012-05-10
Hello experts.
I found on this page :http://coldfusion.sys-con.com/node/46358 something about Man-in-the-Middle Attack (Session Hijacking).
Can i have please a code example from an expert to understand  how it works?
0
Comment
Question by:Panos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
ID: 34220080

Always check the article date.  Recommendations and threats change rapidly.  Most of what that article says still applies, but ... it's from 2004.  So keep that in mind.  Check the comments here for important info about basic session hijacking with cf session variables
http://www.bennadel.com/blog/1537-The-Same-CFID-CFTOKEN-Values-Are-Used-Across-ColdFusion-Session-Timeouts.htm

MITM attacks aren't simple. They're not specific to CF and don't happen in CF code. They can apply to any web connection/application.  It usually involves an intruder with a packet sniffer. They use the program to monitor traffic between two computers (say a user and a server).  They then impersonate the other party by modifying the data.  There's a good diagram here:

http://www.owasp.org/index.php/Man-in-the-middle_attack
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

0
 
LVL 2

Author Closing Comment

by:Panos
ID: 34224073
Thank you for your help agx.
Could you write a  test code for my other question:http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/Cold_Fusion_Markup_Language/Q_26636239.html

how to control the number of times someone has been to the site in one second.......from this site:http://www.anujgakhar.com/2010/01/26/what-is-the-best-way-to-deal-with-spidersbotscrawlers/   #7
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article  is about submitting  form through  ColdFusion.Ajax.submitForm to the action page and send a response back in JSON format which later can be decoded using ColdFusion.JSON.decode. By this way you can avoid the usual page refresh for subm…
CFGRID Custom Functionality Series -  Part 1 Hi Guys, I was once asked how it is possible to to add a hyperlink in the cfgrid and open the window to show the data. Now this is quite simple, I have to use the EXT JS library for this and I achiev…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question