Internet Security Whitepapers

Session Fixation Vulnerability in Web-based Applications

Internet Security Whitepapers Session Hijacking

Web-based applications frequently use sessions to provide a friendly environment to their users. HTTP [1] is a stateless protocol, which means that it provides no integrated way for a web server to maintain states throughout user’s subsequent requests. In order to overcome this problem, web servers – or sometimes web applications – implement various kinds of session management. The basic idea behind web session management is that the server generates a session identifier (ID) at some early point in user interaction, sends this ID to the user’s browser and makes sure that this same ID will be sent back by the browser along with each subsequent request. Session IDs thereby become identification tokens for users, and servers can use them to maintain session data (e.g., variables) and create a session-like experience to the users.

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Internet Security Whitepapers Session Hijacking

Session hijacking can be done at two levels: Network Level and Application Level. Network layer hijacking involves TCP and UDP sessions, whereas Application level session hijack occurs with HTTP sessions. Successful attack on network level sessions will provide the attacker some critical information which will than be used to attack application level sessions, so most of the time they occur together depending on the system that is attacked. Network level attacks are most attractive to an attacker because they do not have to be customized on web application basis; they simply attack the data flow of the protocol, which is common for all web applications.

Session Hijacking in Wireless Networks

Internet Security Whitepapers Session Hijacking

The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a session key or Id - to attain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of the magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.

Session Management in Web Applications

Internet Security Whitepapers Session Hijacking

Many web applications still suffer from weak session management. For "medium security", a good cookie-based standard solution can be sufficient. For higher security needs, a Dynamic Link-based approach is recommended. Each web application should be checked against all problem categories mentioned above. Never trust user input.

SIP Proxy Test Specification Reference

Internet Security Whitepapers VoIP Hacking

This document gives a quick overview about the all elements and attributes of a test case specification.

SIP Proxy User Documentation

Internet Security Whitepapers VoIP Hacking

This document will describe how to use the SIP Proxy application. SIP Proxy is an open source testing tool which can sniff SIP traffic or perform SIP related security tests. This tool should assist security analysts in finding security flaws within a VoIP environment. Security engineers have the opportunity to add custom test cases. SIP Proxy includes fuzzing technology which is a kind of black-box testing. A fuzzed attack may include random generated data to discover security flaws which are hard to find with conventional testing techniques. Hence it can help to improve the security of VoIP infrastructures. Since SIP Proxy is published under the "GNU Public License", its source and software releases are freely available at

Sniffers Basics and Detection

Internet Security Whitepapers Sniffers

A sniffer is a program or a device that eavesdrops on the network traffic by grabbing information travelling over a network. Sniffers basically are "Data Interception" technology. They work because the Ethernet was built around a principle of sharing. Most networks use broadcast technology wherein messages for the computer can be read by another computer on that network.

Social Engineering - A Real Story in a Multi-national Company

Internet Security Whitepapers Social Engineering

"Hi! You must be Jan, pleasure to meet you! I just got off the phone with Jim in accounting who assured me you could direct me to the executive VP wing", "Pleasure to finally meet you! "I'm Rob Eldridge, the new Y2K Analyst." "I've been doing some Y2K Audits over in San Francisco in our branch office there. Looks like they finally broke down and sent me to Vegas!".

Social Engineering: Security Awareness Series

Internet Security Whitepapers Social Engineering

Understand the principles of social engineering. Define the goals of social engineering. Recognize the signs of social engineering. Identify ways to protect yourself from social engineering.

Social Engineering: Techniques that can bypass Intrusion Detection Systems

Internet Security Whitepapers Social Engineering

The purpose of this paper is to explain how Social Engineering can defeat Intrusion Detection (ID) Systems. As we now enter the 21st Century, the computer age and cyber warfare is in full swing. Companies and organizations are still not fully addressing or understanding the issue of Social Engineering. The concept of Social Engineering can cause destruction to networks and cost companies millions of dollars. This paper will try to bring to light exactly how Social Engineering exposes the vulnerabilities of Intrusion Detection Systems and what can be done to protect ourselves against these vulnerabilities.