Chapter 7

advertisement
Chapter 7
Attacking Session Management
Juliette Lessing
Session management
• Enables the application to uniquely identify
a given user across a number of different
requests.
• Prime target for malicious attacks against
application.
• Encountered defects.
Two types of weaknesses
• Weaknesses in Session Token
Generation
• Weaknesses in the handling of session
tokens throughout their lifecycle.
Weaknesses in Session Token
Generation
• Meaningful tokens (1)
• Created using a transformation of the
user’s user name or other info
associated with them
But actually:
Meaningful tokens (2)
• Exhibit some structure allowing an attacker
to understand their function and means of
generation.
• Components:
• User name
• E-mail address
• Client’s IP address
Meaningful tokens (3)
Hack steps:
•
Obtain single token from the application, modify it to determine validity. Change token’s
value one byte at a time and check whether application is still accepted. Are some portions
not required to be correct, exlude them.
•
Log in as several different users at different times and record the tokens received from the
server.
•
Analyze the tokens for any correlations that appear to be related to the username and
other user-controllable data.
•
Analyze the tokens for any detectable encoding or obfuscation.
•
If any meaning can be reverse engineered from the sample of session tokens, guess the
tokens, find a page of the application that is session-dependent, and make large numbers
of requests to this page using these guessed tokens. Monitor the results for any cases
where the page is loaded correctly, indicating a valid session token.
Weaknesses in Session Token
Generation
Predictable tokens (1)
• Contain sequences or patterns
• Arise from 3 different sources:
1. Concealed sequences
2. Time dependency
3. Weak random number generation
Predictable tokens (2)
1. Concealed sequences




Predictable tokens (2)
2. Time dependency  Attack:
•
•
•
•
•
Start polling the server to obtain new session tokens in quick
succession
Monitor the increments in the first number. Increases more
than one? Token has been issued by another user
We know upper and lower bounds of second number which
was issued to them
brute-force attacks in order to successfully access a
protected page
Running this scripted attack continuously will enable us to
capture the session token of every other application user.
When an administrative user logs in, we will fully
compromise the entire application.
Predictable tokens (3)
3. Weak random number generation
This algorithm takes the last number generated,
multiplies it by one constant, and adds another
constant, to obtain the next number. The number is
truncated to 48 bits, and the algorithm shifts the result
to return the specific number of bits requested by the
caller.
Weaknesses in Session Token
Handling
Disclosure of tokens on the network (1)
Weaknesses occur when:
•
•
Some applications elect to use HTTPS to protect the user’s
credentials during login but then revert to HTTP for the remainder of
the user’s session
Some applications use HTTP for preauthenticated areas of the site,
such as the site’s front page, but switch to HTTPS from the login
page onwards.
Disclosure of tokens on the network (2)
Hack steps:
•
Walk through application in normal way and identify login functions and transitions
between HTTP and HTTPS communications
•
Are HTTP cookies used as transmission mechanism? Verify whether secure flag is
set
•
Determine whether session tokens are ever transmitted over an unencrypted
connection. Yes? Regard them as vulnerable to interception
•
Verify whether a new token is issued following login, or whether a token transmitted
during the HTTP stage is still being used to track the user’s authenticed session
•
Verify whether server is listening on port 80. If so, visit any HTTP URL directly from
with an authenticated session and verify whether the session token is transmitted
•
In cases where a token for an authenticated session is transmitted to the server over
HTTP, verify whether that token continues to be valid or is immediately terminated by
the server.
Weaknesses in Session Token
Handling
Disclosure of tokens in logs
•
causes of session tokens appearing in
system logs
Weaknesses in Session Token
Handling
Vulnerable session termination (1)
• Some applications do not provide effective
logout functionality:
•
•
•
A log-out function is not implemented
The logout function does not actually cause the server to
invalidate the session
When a user clicks Logout, this fact is not communicated to the server at all, and so the server performs no
action whatsoever.
Vulnerable session termination (2)
Hack steps:
• Investigate whether session expiration is implemented on the
server side
• Determine whether a logout function exists and is prominently
made available to users. If not, users are more vulnerable
because they have no means of causing the application to
invalidate their session.
• Where a logout function is provided, test its effectiveness.
After logging out, attempt to reuse the old token and
determine whether it is still valid. If so, users remain
vulnerable to some session hijacking attacks even after they
have “logged out.”
Weaknesses in Session Token
Handling
Client Exposure to Token Hijacking
Hack steps (1):
•
Identify any cross-site scripting vulnerabilities within the
application and determine whether these can be exploited to
capture the session tokens of other users
•
If the application issues session tokens to unauthenticated,
obtain a token and perform a login.
Hack steps (2):
•
Check whether the application is willing to return to the login
page eventhough you are already authenticated, sumbit
another login as a different user using the same token. If it
does not issue a fresh token, it is vulnerable to session
fixation
•
Identify the format of session tokens used by the application.
Modify your token to an invented value that is validly formed, and
attempt to login. If the application allows you to create an
authenticated session using an invented token, then it is vulnerable
to session fixation.
Securing Session Management
In order to perform session management in a
secure manner:
1. Generate strong tokens
2. Protect Tokens throughout Their Lifecycle
•
•
•
•
•
should only ever be transmitted over HTTPS
never be transmitted in the URL
Logout functionality should be implemented
Session expiration should be implemented after a
suitable period of inactivity (e.g., 10 minutes).
Etc.
Securing Session Management
Per-page Tokens
• New page is created every time
• Prevents session fixation attacks
Download