|
I've noticed that ISPs have started hijacking DNS errors and show their own error pages instead (complete with annoying graphics and ads). Is there any way to fix this, or are they doing it on their network outside of my control?
Note that I've not installed...
Started by Jon B on
, 5 posts
by 5 people.
Answer Snippets (Read the full thread at superuser):
You can opt out of Comcast's DNS hijacking
Verizon simply.
But I don't think you would want to do this .
|
|
I have been reading up on session fixing/hijacking recently, and understand the theory.
What I don't understand is how this would be exploited in practice. Would you have to tamper with your browser to make use of the stolen cookies? Append it to the ...
Started by Joshxtothe4 on
, 5 posts
by 5 people.
Answer Snippets (Read the full thread at stackoverflow):
The internet isn't a magical black box that can only be utilized by browsers .
As mentioned by Klaus, you can do hijacking works.
/Klaus
Forging a cookie is trivial.
Thus hijacking your session.
|
|
Lately I have seen this in my error log (1 per day, and I have 40k visitors per day):
[22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'...
Started by Toto on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at stackoverflow):
If you want to reproduce.
I can't see how anyone would use an invalid session id for session hijacking.
|
Ask your Facebook Friends
|
I'm interested in using API spying/hijacking to implement some core features of a project I'm working on. It's been mentioned in this question as well, but that wasn't really on topic so I figured it'd be better with a question of its own for this.,
I...
Started by slicedlime on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at stackoverflow):
I implemented syringe.dll (L-GPL) instead of MS Detours (we did not like the license requirements or huge payment for x64 support) it works fantastically well, I ported it from Win32 to Win64, we have been using in our off-the-self commercial applications... .
|
|
Hi all,
This problem is regarding a JS hijacking scenario, and here it is :
Say Mr. Good has a website called "iamtooinnocent.com" which loads a "x.js" file to perform some particular tasks, and Mr. Bad is an evil cyber cafe owner, who has set a redirect...
Started by Arnab on
, 5 posts
by 5 people.
Answer Snippets (Read the full thread at stackoverflow):
And the certificate itself is verified by third party certificate authorities... .
So it's not possible to change it.
It encrypts all traffic using public certificate of your site .
HTTPS is standard for fighting man-in-the-middle attacks like one you've described .
|
|
I am developing with an ASP.NET application that uses Windows Authentication. I have setup the web.config file to deny all unauthenticated users, and only allow users from a certain role.
Using Fiddler, I am able to fuzz my session ID, replay a request...
Started by John Rasch on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at serverfault):
To speak directly to TCP hijacking (TCP sequencing, etc): To hijack a TCP connection....
You're either seeing the result of a transparent authentication or your application isn't actually requiring authentication .
Not seeing TCP hijacking.
|
|
Certain malware such as AVG hijack 404 pages in order to display a page in the browser riddled with their own ads. The only work around I've found is to abandon 404 http status codes for custom error pages in my webapp.
Is there any other work around?...
Started by EoghanM on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at stackoverflow):
Aside from abandoning the 404 code I doubt there is much you can do, as the client is free to do whatever it wan't with... .
When you describe AVG as "malware" are you refering to the antivirus software?
I do not think malware means what you think it means .
|
|
Specifically this is regarding when using a client session cookie to identify a session on the server.
Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able...
Started by Adam on
, 5 posts
by 5 people.
Answer Snippets (Read the full thread at stackoverflow):
Checking referer headers can also be an option but those are more easily spoofed... .
That way an attacker has to be within the same private network to be able to use the session .
To reduce the risk you can also associate the originating IP with the session .
|
|
I guess everything is possible but I am wondering how easy is it for someone to hijack a connection string with a network packet analyzer or equivalent tool.
A winforms application fetches data directly from an MSSQL server. (Supposing there are no webservices...
Started by strakastroukas on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at stackoverflow):
And yes, it slows things down slightly.....
Note that the SQL Native Client may often perform a non-SSL based encryption (depending on lots of factors ), but yes, it can also be encrypted with SSL; see technet .
If it isn't encrypted, it can be read, yes.
|
|
I'm using ASP.NET MVC (v1.0) on an app and want to integrate simple client-side form validation. IE: Numeric-Only fields, required fields, etc.
Is there good, and potentially eye-candy fancy, method of validating in jQuery on the client that will cancel...
Started by Boydski on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at stackoverflow):
Have you checked that you're not having javascript errors that are causing no javascript to run and thus not preventing the default submission mechanism to go through? I ran into... .
I can report that I use the validation plugin and it works as advertised .
|
