Book

URL-embedded Session ID Overview Sessions can be embedded in URIs. PHP, Java, ASP.NET and others support this. http://example.jp/mail/123?SESSIONID=XXXXXXX Issues: Session IDs leak externally via the Referer header (What is the Referer header) The Referer header allows servers to identify where people are visiting from, and can be used for analysis, logging, and cache optimization. Countermeasures: Prohibit URL-embedded sessions themselves Attack Methods and Impact Attack flow: Start page (transitions to another page) ...

HTTP Basics What is HTTP? You probably only have the impression of it being at the beginning of URLs like http://…..com, right? If we search for HTTP on Wikipedia: Hypertext Transfer Protocol (HTTP) is a communication protocol used for sending and receiving content such as HTML. It is mainly used for transfer between web browsers and web servers on the World Wide Web. In Japanese standard specifications, it is also called hypertext transfer protocol. ...