Ebay - Advertisement

Sunday, June 5, 2011

Session Puzzling

Session Puzzling is a new type of application-level vulnerabilities that could enable attackers to perform a variety of malicious actions not limited to:

  • Bypass authentication and authorization enforcement mechanisms
  • Elevate privileges
  • Impersonate legitimate users
  • Avoid flow enforcement restrictions
  • Execute “traditional attacks” (such as injections) in locations that were previously considered safe
  • Affect content delivery destination
  • Cause unexpected application behaviors
  • Shay Chen, a friend and known security specialist presented this new kind of attack at Israeli local OWASP chapter meeting.

    More information could be found here