Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Let’s say a page is shown to an authenticated user with various deletion links on it. Each link has a nonce. What’s to prevent a hacker from having sniffed that connection and gotten the nonce, and then immediately using it to delete a bunch of data by spoofing the authenticated user and using the nonce?
Nothing. SSL can help a bit by preventing the sniffing. What you are referring to is called Session Sidejacking
http://en.wikipedia.org/wiki/Session_hijacking
I have also desribed here how you can easily sidejack a
Facebook Session:
http://madhur.github.com/blog/2011/06/12/facebooksessionhijacking.html
LinkedIn Session:
http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability/