http session management and secure session overview

34
PRESENTATION ON HTTP Session Management and Secure Session Overview 1 By – Prasanna Deshpande Sagar Sanjay Sane Ameya Kulkarni Akshay Navgire

Upload: prasanna0104

Post on 15-Nov-2014

132 views

Category:

Documents


2 download

DESCRIPTION

The presentation gives brief idea about HTTP session management, threats to session management, and good ways to carry out sessions

TRANSCRIPT

Page 1: HTTP session management and secure session overview

PRESENTATION ON

HTTP Session Management and

Secure Session Overview

1

By – Prasanna DeshpandeSagar Sanjay SaneAmeya KulkarniAkshay Navgire

Page 2: HTTP session management and secure session overview

CONTENTS

Overview of HTTP Concept of a HTTP Session Session Management and its methods Attacks on Session Management Good Session Management Overview of SSL TLS HTTPS Conclusion References

2

Page 3: HTTP session management and secure session overview

WHAT IS HTTP?

Hyper Text Transfer Protocol Works on the Application layer of the Internet

model. Protocol used for the service known as World

Wide Web(WWW). Used for transferring the web documents

from server to the client. Uses the well known port number 80.

3

Page 4: HTTP session management and secure session overview

HOW DOES HTTP WORK?

Interaction between client and the server. It’s a dialog between two hosts using HTTP

Request and Response mechanism.

Client Server

Request

Response

4

Page 5: HTTP session management and secure session overview

STATELESSNESS OF HTTP

HTTP is termed as Stateless protocol. The server does not remember the previous

request made by the client. The advantage of a stateless protocol is that

hosts do not need to retain information about users between requests.

But in case of complex interaction between servers and clients, a previous history of requests should be known to the server.

5

Page 6: HTTP session management and secure session overview

A HTTP SESSION

Sessions are used to compensate with the stateless condition of the HTTP protocol.

A session allows storage of information that is associated with the client for the duration of the client's visit.

There is a unique identification string for each session called as Session ID(SID).

Used to make the HTTP stateful.

6

Page 7: HTTP session management and secure session overview

STATELESS SERVER

7

Page 8: HTTP session management and secure session overview

STATEFUL SERVER

8

Page 9: HTTP session management and secure session overview

SESSION MANAGEMENT.

Session management is the technique used by the web developer to make the stateless HTTP protocol support session state.

Thus session management is a mechanism to make a session ‘stateful’.

Session information is in the form of SID. SID is generated as a result of the first

request from the end user running a web browser.

9

Page 10: HTTP session management and secure session overview

METHODS FOR SESSION MANAGEMENT

URL rewriting.

Hidden form fields

Cookies.

10

Page 11: HTTP session management and secure session overview

URL BASED SESSION ID TRACKING

Also called as URL rewriting. Session ID information embedded in the URL. Makes use of HTTP GET method. Example http://somesite.com/Admin.php?

SessionID=1234567

11

Page 12: HTTP session management and secure session overview

HIDDEN POST FIELDS

Session ID information stored within the fields of a form and submitted to the application.

Makes use of the HTTP POST method. Session ID information would be embedded

within the form as a hidden field and submitted with the POST command.

12

Page 13: HTTP session management and secure session overview

CONTD..

Example: Embedded within the HTML of a page

<FORM METHOD=POST ACTION=”/cgi-bin/news.pl”> <INPUT TYPE=”hidden” NAME=”sessionid” VALUE=”IE60012219”> <INPUT TYPE=”hidden” NAME=”allowed” VALUE=”true”> <INPUT TYPE=”submit” NAME=”Read News Article”>

13

Page 14: HTTP session management and secure session overview

COOKIES

An HTTP cookie (usually called simply a cookie) is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server.

It was first developed by Netscape to solve the problem of user tracking.

Cookies find use in areas like E-commerce Customized web portals Web site registration

14

Page 15: HTTP session management and secure session overview

COOKIE STRUCTURE

A cookie contains the following information:

A Name A Value A Expiry Date A Path Domain A Security Code

15

Page 16: HTTP session management and secure session overview

SETTING A COOKIE

Syntax for setting a cookiesetcookie([name string],[value string],[expires UNIX time stamp],[path string],[domain string],[name integer])

Example : Set-Cookie: sessionID=”IE60012219”;

path=”/”; domain=”www.example.com”; expires=”2003-06-01 00:00:00GMT”; version=0

16

Page 17: HTTP session management and secure session overview

MORE ON SESSION ID

Session IDs are used to track authentic users. Hence they should fulfill some criteria so that

they are not compromised which are Session ID randomness

Randomness Unpredictable Non reproducible

Session ID length Prevention against Brute Force attacks. Minimum length should be 50 random characters.

17

Page 18: HTTP session management and secure session overview

ATTACKS ON SESSION MANAGEMENT

Attacks focus on retrieving a valid session key.

These attacks are similar to SSN theft. Stealing session ID allows malicious user to

assume permissions of legitimate user. Session attacks consists of two major

categories : Session hijacking Session fixation

18

Page 19: HTTP session management and secure session overview

ATTACKS ON SESSION MANAGEMENT A) SESSION HIJACKING

Hijacking is process of acquiring valid session ID after it has been assigned.

Hijacking is carried out in 3 different ways : Prediction : occurs when malicious user realizes

that pattern exists between session IDs. Brute Force Attack : a malicious user repeatedly

tries numerous session IDs until he gets a valid one.

Interception : occurs when malicious user is able to extract data on network allowing to determine the SID.

19

Page 20: HTTP session management and secure session overview

SESSION FIXATION

This attack occurs because a malicious user is able to specify the session ID for a user’s session.

Permissive web applications will not assign a server generated session ID if the client has one already. The application adopts the one client presents.

To use this vulnerability attacker typically creates a link that sets the session identifier to a value they choose.

20

Page 21: HTTP session management and secure session overview

ATTACKS ON SESSION MANAGEMENT B) SESSION FIXATION

21

Page 22: HTTP session management and secure session overview

GOOD SESSION MANAGEMENT

22

Page 23: HTTP session management and secure session overview

GOOD SESSION MANAGEMENT MEASURES

Use of Strong Encryption on all Transmissions Store only Session ID on Client side Perform Sanity Checks to Detect Session

Hijacking Expire session after Inactivity Do not make Session IDs Viewable Select Good Session Identifier Prevent Cross-Site Scripting (XSS)

Vulnerabilities Force Server-side Session ID creation Double Check Critical Operations 23

Page 24: HTTP session management and secure session overview

GOOD SESSION MANAGEMENT MEASURES

Provide Secure Logout Securely Store the Server side session map Expire the pages ( to Prevent Caching) Make the Session ID Dynamic with Hijack

Attempt Detection Require Re-Authentication after Maximum

Login Limit Check SSL client Certificate ( if possible ) Verify Domain before Accepting Cookie-based

Session IDs Restrict Cookie Path 24

Page 25: HTTP session management and secure session overview

BAD EXAMPLES

Browser flaws Bad Session IDs Predictable Session IDs Unencrypted Sessions Cross site Scripting (XSS) vulnerabilities Session Fixation

25

Page 26: HTTP session management and secure session overview

SSL OVERVIEW

Secure Sockets Layer. Developed by Netscape in 1995. Provided a mechanism to have a secure

transaction on the web. Makes the use of digital certificates signed by

a trusted third party Certificate Authority(CA) provided to the server.

Consists of 2 sub protocols for :- SSL connection establishment. Data Transmission

26

Page 27: HTTP session management and secure session overview

SSL CONNECTION ESTABLISHMENT

27

Page 28: HTTP session management and secure session overview

DATA TRANSMISSION USING SSL

28

Page 29: HTTP session management and secure session overview

SHORTCOMINGS OF SSL

SSL uses RC4 which gives rise to keys which can be easily cryptoanalyzed and compromised.

Slower

Possible mismatch in the keys used to match the X.509 certificates.

29

Page 30: HTTP session management and secure session overview

TLS

Transport Layer Security protocol. Successor of SSL. Operates at the transport layer. Used with HTTP to form HTTPS to provide

secure transactions. Involves 3 key phases

1. Peer negotiation for algorithm support.2. Key exchange and authentication3. Symmetric cipher encryption and message

authentication

30

Page 31: HTTP session management and secure session overview

HTTPS

HTTP Secure. Used to secure traffic on WWW. Combination of HTTP and a cryptographic

protocol(generally TLS). Port no 443 by default. Application areas:

E-commerce. Asset management.

31

Page 32: HTTP session management and secure session overview

CONCLUSIONS

Secure Session Management is critical to the security of web based applications.

Importance of secure session management cant be undermined.

As the trend is to have an unwired access to the Internet(WLAN),there is a need to constantly evolve the existing session management techniques.

32

Page 33: HTTP session management and secure session overview

REFERENCES

Secure Session Management by Luke Murphey.

Web Based Session Management by Gunter Ollmann.

www.wikipedia .org Computer Networks by Andrew Tanenbaum.

33

Page 34: HTTP session management and secure session overview

34