by 8organicbits on 1/6/2024, 8:30:42 PM
I think I follow the proposal, but I have a few questions.
It sounds like you enter your email and then you'd get an email with the session key. You mention copy/paste, why not use a URL with the key embedded (typically after a # as this part stays on the client)?
I think you'll need to send Javascript down to the client to perform the encryption. That code needs access to the session key. Unfortunately, if the SSL session is invalid (like a MITM attack using a self-signed cert) then the attacker can inject their own Javascript to steal your session key.
Is the session key stored in local storage? Is anything protecting it there? I think, similar to a JWT, it can be stolen.
This is unfortunately a hard problem you're trying to solve.
by vitalipom on 1/13/2024, 7:58:43 PM
I will make a demo hijecking myself account and how do I do it and show with example yo you guys how all of us are vulnerable.
I have developed a solution that overcomes the risks of hijecking sessions using for example broken SSL or stealing JWT token by encrypting a line in every request differently using session key that is copied and pasted once on every browser which send via the Email.
Does anyone here need such thing? I want to offer it to newbies who hesitate from the cloud bills, using my own cloud and small could fee. I don’t have a prototype yet but considering to make one. Are you guys with me? Do you want one?