Collaborate Disseminate
I understand that the idea of a session was conceived originally to improve user experience with Web applications. I also understand that session implementation can introduce attack vectors if not done securely i.e., if session ID can be s… Continue reading Is Web session required for app security?
I understand session hijacking has been a widespread attack vector in the past months.
If an attacker steals a user’s session cookies, they can bypass 2FA and login/password.
If this is the case, how can the victim identify they’ve been se… Continue reading Identifying a session hijacking attack [closed]
I’m building a website with Patreon integration and I have identified the need to store Patreon user’s OAuth2 token in the database. I’m wondering what’s the best way to do that, security-wise. Some considerations:
The token doesn’t give … Continue reading What are the best practices to safely store OAuth2 tokens in a database?
I started noticing this kind of token in a lot of CTF tasks from different authors:
eyJlbWFpbCI6ImVtYWlsQG1haWxib3guZG9tYWluIiwiaWQiOjN9.ZLNCAQ.MxwKVKj_dramWyfT5XxT6g9U3xk
The structure is as follows:
Payload (usually a json string). In m… Continue reading What type of token is this?
This question is inspired by looking at the functionality of the Flask-Login extension for the Python’s Flask Framework (Web Framework).
This extension generates a session identifier using the user’s ID and storing it in Flask’s Session, a… Continue reading Session Identifier: User-specific data in signed cookie vs Randomly generated session identifier
I’m testing a web application and I found information about sessions that the web application used appears in the source code
for example, they write: we use jsession for a user from the browser and route id and something like that
My ques… Continue reading Information from source code
Log in time outs can be a pain we all know. However maintaining "logged in" status whereby even if I refresh a previously open tab the next day (I hibernate my laptop each night so Chrome does not get shut down) I have full acces… Continue reading My logged in status is being maintained 36 hours after initial login on an online account
I’ve seen a lot of shops selling WhatsApp account sessions lately, in a format similar to this:
1.251946579926
2.T1k05SxG7N+k0BkVjtX1h6qiS0ui/Y9/AYFxu2ope0E= public key
3.GMYQ45K59y3qEuxIUUDeQbhm0nZcjpvy9oMJlT1KIUY=
4.LBoUgY8awL91jawHMCftU… Continue reading How to Hack WhatsApp Account Sessions? [closed]
I saw a setup recently where frontend and resource servers were hosted on subdomains of the same second level domain. E.g. ui.example.com and api.example.com.
It had an interesting authentication flow that seemed like a variant of the refr… Continue reading Security implications of using the current session to mint new access tokens
The Double Submit Cookie CSRF Token pattern is a stateless technique that doesn’t require storage or a database. However, it’s vulnerable to session hijacking attacks and sub-/sibling domains that are susceptible to XSS or HTML injection. … Continue reading Session based CSRF Tokens – What value do i use with JWT?