i’ve been watching referrers to some web sites recently.. well, i encountered an old-new issue (old because it’s old, new because people are still silly and we can call everything new in this industry).

when following url’s from web-mail systems with enough lack of security, i can access user accounts.

gmail seems to not allow this.. others demand i login. when i checked some yahoo! referrers though…
“your login session has expired.”

i wonder if i should spend some extra time and follow the next yahoo mail referrer in real time?

come on people, static url’s for logged in users?
time based authentication as main line of defense?

according to a friend of mine:
“session_id won’t be valid. the error is generic. won’t work. ”

i suppose xss is not the only problem some of these services face. funny thing is, i saw an example of this happening on a big domain registrar last week, with a static access url to the domain management systems.

gadi evron,
ge@beyondsecurity.com.

-

Is your site safe from SQL Injection? Sign up for an Automated Vulnerability Detection Service today!