My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Friday, March 5, 2004
« DevDays 2004 - Washington D.C. | Main | Analysis of E-Business Applications by @... »

Jeff Schoolcraft made a comment on Andrew's weblog entry that:

"I must say I am somewhat disappointed that there were no examples on how cookie or session hijacking happens. It was professed to be a terrible thing, which it [hijacking] probably is, however, I would have loved to see an example of this. SQL Injection any shmuck can type ' OR 1=1 -- but what skillset, level of effort does it take to hijack a session?"

To answer your questions:

  1. Cookie and Session hijacking were indeed demonstrated in the 2nd Session, when Dwayne used a Cross-Site Scripting attack to post the Cookie information and the Session Id info from a Search site onto another site. And I in my demo's showed you possible counters to this attack. What was NOT demonstrated was a cookie replay attack, which I believe was not done in the interest of time more than anything else.

    Note that the “session hijacking” I refer to here is getting access to the ASP.NET Session Id and doing nasty, evil things with it. I am not referring to TCP Session hijacking, which referes to an attack used by a cracker to take over a TCP session between two machines. The defense against this type of attack is more on the Admin side rather than the Dev side.

  2. As to SQL Injection, it does not take much to type in the stuff for SQL Injection, but Dwayne in his session demonstrated more than that.  He showed how using SQL Injection, you can actually gather enough information on the Database schema to craft a SQL statement that allows you to taint a database. And in my session, I showed possible counters to this attack as well.
In any developer event, there is going to be a cross-section of skill levels and knowledge represented.  As both Andrew and I noted, our informal conversations after the presentations seemed to indicate that the majority of the people who came out did seem to get a great deal of value out of the sessions. At the same time, there will definitely be people there who already "get" it.
 
I am actually gratified to hear that Jeff did not find anything new here. That is a GOOD thing, which means that more and more developers are integrating Security into their every day lives and Microsoft's message about building in Secure Coding practices into the development lifecycle is getting through!
 
The 4 sessions are the real meat of the day. As to the keynotes and the vendor demos, I really can't speak to them, except to say that depending on your level of interest in the topic presented they may or may not have been interesting for you. For example, someone I spoke with was very interested in the information that was presented about SQL Server reporting services.
 
Please do keep the feedback coming and if you did not get a chance to do it on the eval form, make sure you contact the DevDays folks @
 
Tags:: Security
3/5/2004 10:08 AM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.