Download this PDF to see the latest tips and tricks on how to secure your website and web applications against session management vulnerabilities. Information was presented at the OWASP 2010 USA National Conference in Irvine, CA on September 10, 2010.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Session (and related) attacks are a key attack surface for HTTP web applications
Most common session / state mechanism for HTTP:
Unique session tokens in the form of HTTP cookies or URL parameters
HTTP authentication (basic, digest, NTLM) can be used for session management – but very rare usage
Applications can also use sessionless state mechanisms (like ASP.NET's ViewState), essentially keeping all state on the client
Tip: If you use ViewSate, make sure you enable hash via EnableViewStateMac="true" Caution: ViewSate hash prevents state tampering, but
hackers can still decode and view state information!
OWASP
Session Management SecuritySession Tokens / Cookies
Session tokens often composed of: User info, account info, date/timestamp, email address, client IP address, etc.
Session tokens can also be based on concealed sequences, time dependencies, random number generation, etc.
Session tokens are often encoded: E.g. using Base64, XOR, hexadecimal representation using ASCII characters, etc.
Disclosure of tokens on the network: Network traffic eavesdropping
Use HTTPS for all content, incl. static content, help pages, pre-login-pages, images, etc.
OWASP
Session Management SecuritySession Tokens / Cookies – contd.
Enable HTTPOnly & Secure cookie flags to disallow cookie access from JavaScript and force cookie transmission only via HTTPS, respectively
URL based session tokens can get revealed via various HTTP logs (e.g. Google for inurl:jsessionid). Note that the referrer/referrer header can contain session tokens
Hackers will try to capture your token by making you visit a site on a server they control (via referer header)
Ineffective or non-existing session termination/logout functionality (e.g. only deleting client-side cookie, but no session expiration on server) leaves session tokens vulnerable for exploitation
OWASP
The Bottom Line…
There a wide variety of different HTTP session management mechanisms due to the lack of strong native support.
Always remember: Not all of them are equally secure! The strongest authentication mechanism won't help if the
session management mechanism is vulnerable!
OWASP
Often use a combination of commercial scanners, basic tools (proxies, fuzzers, spiders, decoders, etc.) and manual testing and analysis Comprehensive solutions / scanners: Cenzic Hailstorm Basic tools: Burp Suite, Paros, WebScarab, Tamper Data
Attempt to map and analyze the application and identify the authentication & session management mechanisms (e.g. session tokens, login/logout pages, etc.)
Try to observe / analyze any encodings and obfuscations of session tokens in order to manipulate them
Assessment Techniques
There are a wide variety of different assessment techniques for session management vulnerabilities.
Assessment techniques:
OWASP
Often require one or more user accounts to compare behavior of the application before and after login (public vs. private pages) and between users with different access privileges
Test whether users can be fooled into using attacker supplied session tokens (session fixation)
Try to explore any related attack vectors, like XSS, CSRF, etc.
Also examine various other attack vectors, like: Token predictability, cookie scope (domain / path), insecure token transmission, log disclosures, insufficient session termination, etc.
Assessment Techniques – Contd.
Assessment techniques:
OWASP
There are various session management related attack vectors, as well as some more loosely related ones, such as:
functionality, etc. Authentication Bypass (SQL Injection), Authorization
Boundary Vulnerabilities, Privilege Escalation HTTPS/SSL Bypass Vulnerabilities (access with HTTP) XSS / CSRF And more…
Related Attack Vectors
OWASP
Related Attack VectorsCross-Site Request Forgery (CSRF)
What is it?: Basic Web Application session management behavior is exploited to make legitimate user requests without the user’s knowledge or consent.
Root Cause: Basic session id management that is vulnerable to exploitation (e.g. cookie-based).
Impact: Attackers can make legitimate Web requests from the victim’s browser without the victim’s knowledge or consent, allowing legitimate transactions in the user’s name. This can results in a broad variety of possible exploits.
Solution: Enhance session management by using non-predictable “nonce” or other unique one-time tokens in addition to common session identifiers, as well as the validation of HTTP Referrer headers.
OWASPSANS Las Vegas June 2008 19
OWASPSANS Las Vegas June 2008 20
Be careful what you browse while you’re still logged into a sensitive application!
OWASPSANS Las Vegas June 2008 21
OWASP
CSRF Example Code
<body>Welcome to hackerbank.com. It's been a pleasure doing business for you!<iframe id="hidden_iframe" width=0 height=0 scrolling=no
The browser sends session cookie along with the form data
OWASP
OWASP
Use strong tokens with strong randomness
Only ever transfer tokens back to the server using HTTPS (don't forget about static content, help pages, images, pre-login pages, etc.)
Never use URL based session tokens, as that enables very easy session fixation attacks. If you have to (cookies disabled), use POSTs with hidden fields
Use HTTPOnly & Secure cookie flags
Implement strong logout functionality (with invalidation of session tokens & deletion of session & state on server)
Implement session expiration with same results as strong logout (after e.g. 5 or 10 minutes)
Session Management Best Practices
OWASP
Consider implementing “per-page” tokens (also helps with CSRF)
Ideally do not allow concurrent logins
Terminate sessions when attacks are detected
(Temporarily) disable accounts after too many wrong session tokens / attacks (too slow down & frustrate hackers)
Log session related information on the server and audit logs regularly