|
-
May 19th, 2002, 09:05 PM
#1
Member
ASP session objects
Can Session object protected sites be hacked?
For example:
<!--This is the login page. If the correct uid and pwd
are entered then a session object is created-->
<%
If Request("User") = "Tom" And Request("Pwd") = "secret" Then
Session(Access") = "Granted"
End If
%>
Then at the top private.asp
<%
If Session(Access") <> "Granted" Then
Response.Redirect("Logon.asp")
End If
%>
<html>
...
THanks
-
May 19th, 2002, 11:54 PM
#2
Quite often, yes, but not via the session object.
The session object is secure *unless* you do a cross-site scripting attack and steal cookies
(which is tricky and you need to be able to inject HTML into the pages of the site)
Most often there are some pages which fail to properly check the contents of the session object, or the login pages are themselves flawed,
one which I see most often is doing an SQL query with failure to properly escape quotes, so watch for that.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote