I am currently working with Nessus Automation using API. I prefer to use CURL for the requirement. I see that everytime to get data from Nessus, I need to use token (session id). If I send this token with GET method, won't it lead to Session hijacking? What could be the solution to avoid such a problem and have a proper security?
Asked
Active
Viewed 463 times
0
-
_“If I send this token with GET method, won't it lead to Session hijacking?”_ - depends; who do you expect to be able to listen to the request between your server and the API …? Assuming HTTPS is used and you don’t deliberately circumvent that, the risk is minimal to non existent. – CBroe Feb 05 '18 at 08:40
-
Thanks @CBroe for the answer. My request looks like this: curl -s -k -x GET -h "x-cookie: token=23djj229d9fe9" -d '' https : //cloud.tenable.com/scans/xxx I send this request from my local PC terminal (using API) to Tenable cloud website. How about such situation? – tech_enthusiast Feb 05 '18 at 08:46
-
What about it? Again, who do you expect to be able to listen to the request between your server and the API …? – CBroe Feb 05 '18 at 08:49
-
@CBroe if someone gets this session id by sniffing the packet , don't you think that is a problem ? – tech_enthusiast Feb 05 '18 at 08:51
-
And who’s able to easily do that, when HTTPS is used properly? – CBroe Feb 05 '18 at 08:52
-
1@JModi: drop the `-k` from the cmdline, that makes your connection insecure. (also, drop the `-X GET`, but for sanity reasons) – Daniel Stenberg Feb 05 '18 at 13:00