Session hijacking attacks attempt to steal the authentication credentials of an authorized user who logged into a system and then reuse those credentials to gain access to the system. In this video, learn how attackers exploit cookies to steal session credentials and the ways that security professionals can defend against these session hijacking attacks.
- [Narrator] Cookies are often used…for web application authentication.…After a user logs into a system,…the web server provides a cookie,…so that the user doesn't need to continuously…log into the system,…every time he or she requests a new webpage.…Presenting the cookie with each request,…causes the web server…to reference the earliest successful login.…One major flaw, with some web applications,…is that they don't use random cookies.…Instead, they use a guessable value.…Let's go ahead and take a look at an example.…
Once again, we'll turn to the…WebGoat application security demonstration tool,…and the ZAP web proxy.…This time, we're using a simple web application,…that asks for a username and a password,…and has a login button.…I have two accounts that I know exist on this server,…and I'm going to ahead and start the ZAP application proxy,…and tell it to intercept the login request.…I go back to the application.…The first time, I'll log on with the 'webgoat' account,…and click the login button.…
ZAP intercepts that request,…
This course—along with the others in this nine-part series—prepare you for the CISSP exam and provide you with a solid foundation for a career in information security.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Software development methodologies
- Operation, maintenance, and change management
- Cross-site scripting
- Preventing SQL injection
- Overflow attacks
- Malicious add-ons
- Secure coding practices
- Code signing
- Risk analysis and mitigation
- Software testing
- Acquired software