Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: Session Management Cheat Sheet - Broken "Session Fixation" Black Hat Resource Links #1481

Open
rjacobs-CityOfWichita opened this issue Sep 5, 2024 · 2 comments
Open

Update: Session Management Cheat Sheet - Broken "Session Fixation" Black Hat Resource Links #1481

rjacobs-CityOfWichita opened this issue Sep 5, 2024 · 2 comments
Assignees
@rjacobs-CityOfWichita
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@rjacobs-CityOfWichita
Copy link

What is missing or needs to be updated?

The two links included under the Transport Layer Security section of the Session Management Cheat Sheet (which presumably provide examples and/or more detailed explanation) regarding Session Fixation attacks are broken. They're suppose to link to some Black Hat EU presentation slides. Instead when you open either of them, you receive an "Access Denied" response from media.blackhat.com.

The usage of an encrypted communication channel also protects the session against some session fixation attacks where the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victim's web browser (see here and here).

How should this be resolved?

I see two options

  1. The links could be removed entirely.
  2. The links could be replaced with an updated permalink to the intended slides or with alternative, but equivalent resource references.

Personally, I think Option 2 is more beneficial, especially as someone who was hoping to use the linked resources to better understand Session (Cookie) Fixation attacks.
@rjacobs-CityOfWichita rjacobs-CityOfWichita added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Sep 5, 2024
@jmanico
Copy link
Member

jmanico commented Sep 6, 2024

Session fixation is rather old school. I am happy to have these deleted. If you see a better reference we'll take it. Would you care to submit a PR for this either way?

@rjacobs-CityOfWichita
Copy link
Author

rjacobs-CityOfWichita commented Sep 6, 2024 via email

@mackowski mackowski added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. labels Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rjacobs-CityOfWichita rjacobs-CityOfWichita

Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmanico @mackowski @rjacobs-CityOfWichita