Upload
osborn-morgan
View
222
Download
5
Tags:
Embed Size (px)
Citation preview
Ch. 7 -Attacking Session Management
Latasha A. GibbsCSCE 813 – Internet Security, Fall 2012College of Engineering and Computing
University of South Carolina
Adapted from The Web Application Hacker’s Handbook 2nd
Edition by
Dafydd Stuttard and Marcus Pinto
1
OVERVIEW
• The Need• Weaknesses of Token Generation• Weaknesses of Session Token
Handling• Securing Session Management• Summary
2
THE NEED
• Reminder: HTTP Protocol is stateless
• Majority of web “sites” are actually web applications
• The session management mechanism is a fundamental security component in most web applications
3
TRUE OR FALSE?
If we use smartcards for authentication, a user’s session cannot be compromised without
them?
4
SESSION MANAGEMENT VULNERABILITIES
• HTTPOnly Flag Not Set• Secure Flag Not Set• Session Porting Permitted• Persistent Cookie• Cookieless Sessions in Use• Session Token Content Weaknesses• Session Token Not Regenerated on Login• Cookie Domain and Path not Restricted
JUST A FEW
VULNERABILITIES!
5
WHAT HAPPENS IF THE ATTACKER SUCCEEDS?
1. Attacker can bypass authentication2. Attacker can masquerade as a
legitimate user3. Attacker can compromise an
administrative user or own the entire application
The list goes on…6
OVERVIEW
• The Need• Weaknesses of Token Generation• Weaknesses of Session Token
Handling• Securing Session Management• Summary
7
WEAKNESSES IN TOKEN GENERATION
• Meaningful Tokens• Predictable Tokens• Concealed Sequences• Weak Random Number
Generation
8
MEANINGFUL TOKENS
• Tokens containing account username, first or last names, date/time stamp, client IP, etc.
• Attackers can use a hexadecimal decoder to reveal the session token easily
• Examples of online decoders include: www.string-functions.com or www.converstring.com
757365723d6461663b6170703d61646d696e3b646174653d30312f31322f3131
User=daf;app=admin;date=10/09/119
WEAK RANDOM NUMBER GENERATION
• Predictable pseudorandom generator used
• After a visual inspection, a more rigorous approach to test the quality of randomness is necessary
• Burp Sequencer is a tool that will test randomness of web application tokens
• Obtaining a sample size of 20,000 tokens, will achieve compliance with FIPS test for randomness
10
OVERVIEW
• The Need• Weaknesses of Token Generation• Weaknesses of Session Token
Handling• Securing Session Management• Summary
11
WEAKNESSES IN TOKEN HANDLING
Disclosure of tokens on network
• Occurs when tokens are transmitted in an unencrypted form
• For example, a site that uses HTTPS to protect login, but reverts to HTTP for the remainder of the user session
Disclosure of Tokens in System Logs
• An application may use the URL query string as a mechanism for transmitting tokens
• For example, google search inurl:jsessionid will produce a list of applications that transmit the Java platform session token
12
DO’S & DON’TS
• Tokens should only be transmitted over HTTPS• Tokens should never be transmitted in the URL• Visibility of session token for administrative or
diagnostic purposes should be limited• Logout functionality should be implemented• Session expiration should be implemented• Concurrent logins should be prevented• Restrict domain and path scope of application
should be restricted as much as possible
13
COMMON MYTHS
• “Our token is secure from disclosure to 3rd-parties because we use SSL.”
• “Our token is generated by the platform using cryptographically sound technologies.”
14
OVERVIEW
• The Need• Weaknesses of Token Generation• Weaknesses of Session Token
Handling• Securing Session Management• Summary
15
HOW CAN WE ENSURE SECURE SESSIONS?
16
SECURING SESSION MANAGEMENT
• Appears simple...as generating strong tokens and providing token protection throughout life cycle
• But…requires developers to have an in-depth understanding of protocols, algorithms, and black-hat community attacks
17
OVERVIEW
• The Need• Weaknesses of Token Generation• Weaknesses of Session Token
Handling• Securing Session Management• Summary
18
SUMMARY
• Web Applications with Broken Session Management = Keys to the Kingdom
• Possible avenues of attack are endless
• Secure session management is necessary to protect web applications
19
FURTHER READING
• OWASP-Session Management Cheat Sheethttps://www.owasp.org/index.php/Session_Management_Cheat_Sheet
• Paper on Secure Session Management with Cookies
http://www.isecpartners.com/files/web-session-management.pdf
• Paper on Web Session Managementhttp://www.technicalinfo.net/papers/
WebBasedSessionManagement.html
• Session Management for Clustered Applications
http://www.oracle.com/technetwork/articles/entarch/session-management-092739.html
20
Thanks and have a lovely evening…
QUESTIONS?
21