SecureSessionManagement

OWASPTampaDecember10,2015

December 15, 2015

Whyarewetalkingaboutsessions?

• Ingeneral,whenwediscusssessionmanagementwithwebapplications,ifyouareabletocaptureauser’ssession,youcanbecomethatuser

• Ifyoucanbecomeanotheruser,anycontrolsyouputinplacenolongermatter

• Inacapturedsession,youareexecutingcommandsasanotheruser

• Sessionmanagementis,therefore,veryimportant

December 15, 2015

Whatisasessionandwhyisitnecessary?

• Asessionisaseriesofinteractionsbetweentwoendpointsthatoccursduringthespanofaconnection

• Oneendpointrequestsaconnectionwithanotherendpointand,ifthatendpointagrees,theendpointsexchangedataandcommands

• Thesessionbeginswhenaconnectionisestablishedandendswhentheconnectionisended

• SinceHTTPisastatelessprotocol,thereneedstobeawayoftrackingsessionsthroughuniqueidentifiers

December 15, 2015

Whatneedstohappentoestablishasession?

• Authentication• NTLM– hashofwindowscredentialsusedtoidentifyuser

• Forms-based- Genericterm,commonlyHTTP+HTML/XHTML

• LessCommon– Basic– Base64encoded,notsecure– Digest– encryptedtransmissionofcredentials,basedonMD5hash

§ Some session tracking mechanismso URL rewritingo Cookies

• In form-based authentication, cookies are used to track a user - *JSessionID*

December 15, 2015

WhataresometypesofHTTPsessiontracking?

• HTTP– HypertextTransferProtocol• Foundation forcommunicationonworldwideweb• Stateless

• URLrewriting• Auservisitsawebsiteandtheserverrespondswithasessiontrackingtoken

• Theuserthensends requeststothewebserverwhichcontainthesessionIDintheURL

– www.somesite.com/index.jsp?jsessionid=abcdefg1234567• Cookie-based

• Acookieisasmallpieceofdatasetontheclientmachinesothewebservercanuniquely identitytherequestingpartyandmaintainasession

– Cookiescanhavethefollowing attributes:» MarkedSecure» MarkedHTTPOnly» Haveapathset– whichsite(s)canusethecookie» Besettoexpire

December 15, 2015

Whataresometypesofsessiontracking?(cont.)

• Cookie-based• Auservisitsawebsiteandtheserverrespondswithasessiontrackingtoken

December 15, 2015

Cookies• Cookiesaresmallpiecesofdatasetonaclientmachinesothewebservercanuniquelyidentifytherequestingpartyandmaintainasession

• Somecommonmistakes• Setpriortoauthentication

– Notchangedpostauthentication• NotmarkedSecure/HTTPOnly• TransmittedoverHTTP• TransmittedaspartoftheURL• Basedonstaticvalue• Canbereused

December 15, 2015

Commonsecurityconcerns

• Somesessiontrackingweaknesseswecommonlysee

• Cookiesnotresetafterauthentication• Sessionnotproperlyterminatedonlogout• Cookiesnotrandomenoughand/orpersistent• Cross-sitescripting(XSS)• Cross-siterequestforgery(XSRF)• Sessionreplay• Weakinputvalidation

December 15, 2015

Cookiessetpriortoauthentication• Whenauservisitsawebsite,theyare

presentedwithasessioncookie• Theuserhasnotyetauthenticated• Theuserauthenticatesbeforethecookie

expiresandtheuser’ssession isboundtothesessiontokensetbytheserverpriortoauthentication

• Attack

• Captureofcredentialsatconsole

• Persistentcookiesonlocalmachine

• PhishingauserwithaURLthatcontainsasessioncookie

December 15, 2015

Cookiessetpriortoauthentication(cont.)

• Theseattackscanallowtheattackertoduplicatetheuser’ssessionandperformactionsasthatuser

• Performunauthorizedfunctions• Gainaccesstounauthorizedinformation

• Solutions• Ifyouneedacookietotrackauserpriortoauthentication,ensureitisnotthesessioncookie

• Ifyoudonotneedacookietotrackstatus,donotsetone• Setthesessioncookietoanewvalueoncetheuserauthenticatesandinvalidatethepreviouscookiesoitisnottiedtotheusersession

• Deleteanypreviouscookiesforthatuserinthesessiontable

December 15, 2015

Sessionnotproperlyterminatedonlogout

• Whenauserlogsoutofanapplication,thesessionisnotproperlyterminated

• Cookienotremoved/overwrittenonbrowser• Moreimportantly,cookienotdeletedfromthesessiontableonthebackendserver

• Attackscenario• Auserhasloggedoutofthesessionbutleavesthebrowseropen,walkingawayfromthecomputer

• Amalicioususercanusethebackbuttontoaccessdataandperformtransactions

• Iftransmittedinclear-text,onceauserlogsout,anattackerwhowassniffingtrafficcanre-submitsessiontrafficandgainaclonedsession

December 15, 2015

Sessionnotproperlyterminatedonlogout(cont.)

• Theseattacksareanotheravenuethatcanallowtheattackertoduplicatetheuser’ssessionandperformactionsasthatuser

• Performunauthorizedfunctionsorgainaccesstounauthorizedinformation

• Solutions• Ensurethatthelogouttriggersthefollowingaction

– Removethesessiontoken(s)fromthesessiontableonthebackendserver

December 15, 2015

Cookiesnotrandomenough• Whenauservisitsanapplication,thecookiescancontainanyofthefollowing

• Atimestamp• Ausername• Acookiethatisshortinlength• Acookiethatispersistent• Acookiethatexpiresayearormoreinthefuture

• Attackscenario• Apersistentcookieispresentonusermachines• Anattackercancapturethesecredentialsandreplaythemfromaremotelocationwaitingforthetargetusertologin

• Ifthecookiecontainsausernameandthatusernamedefinespermissions,thiscanbechangedandtheattackercangainelevatedprivileges

December 15, 2015

Cookiesnotrandomenough(cont.)

• Whenasessioncanbepredicted,anattackercangainaccesstomultiplesessionsthatcan

• Allowtargeteduserattacks• Gainaccesstosessionsatseveraldifferentuserlevels

• Solution• Ensurethatrandomcookiesareused• Ensurethatnopersistentcookiesareused• Ensurethatcookiesarenotsettoexpirealongtimeinthefuture

December 15, 2015

Guidelinesforsecurecookiemanagement• Sessiontrackingcookies

• Setand/orresetvalueafterauthentication• Removefromthesessiontableontheserverwhentheuserlogsout

– Resetonbrowseraswell(notvital)• Userandomvalues-- over128bit• Markthecookie“Secure”and“HTTP-only”• Ensurethecookiecannotbereused• Avoidpersistentcookies• Setcookietoexpireinatimelymanner• TransmitintheHTTPheaderinsteadoftheURLline• UseHTTPSinsteadofHTTPfortransmission

December 15, 2015

Commonsessionmanagementattacks

• Wewillnowdiscusssomewaysinwhichweaksessionmanagementiscommonlyexploited

• Whatwewilldiscussareattackswhichwefindtobevalidwithmanyapplications

• Cross-sitescripting• Cross-siterequestforgery• Sessioncloning• Sessionfixation• Sessionreplay

December 15, 2015

Cross-sitescriptingtoexploitweaksessionmanagement

• Cross-sitescripting• Oneofthegoalsofthisstyleofattackistogaincontrolofauser’ssession

• Bycraftingaspecialrequestwhichcontainsascript,theattackercanattempttogainatargetuser’ssessiontokens

– Simpleexample– www.somesite.com/home.html?search=<javascript:alert(test123)>

• Thiswillcauseanalertboxtoappearwiththetext“test123”ontheuser’sdesktop

• Nextwewilllookatamorecomplicatedattackwhichcanbeusedtocompromiseauser’ssession

December 15, 2015

Cross-sitescriptingtoexploitweaksessionmanagement(cont.)

– Leveragedocumentobjectmodeltoaccesscookie

– Solution• Filterclientsupplied

input– Length– Specialcharacters– Etc

• MarkcookiesasHTTP-only

– EnsurescookiescannotbeaccessedbyDOM

December 15, 2015

Otherattacksleveragingsessionweaknesses

§ Cross-site request forgeryo An attacker can leverage a user’s existing session to execute

requests from outside that sessiono Example

• <img src=www.somesite.com/attack.htm?target=1234567890&status=attack&damage=100>

o Solution• Do not pass transactional information in the URL• Functions which require variables to be passed should only be

accepted in POST requests– GET/POST translation

• Application should validate the referrer when a request is made• Requests which perform sensitive actions should have a token

associated with them– Token embedded in page– Must match backend or request is not processed

December 15, 2015

Otherattacksleveragingsessionweaknesses(cont.)

• Sessioncloning• Leveragessessiontrackingweaknesses

– Session tokensetprior toauthentication– Session token(s)passedinURL

» www.somesite.com/login.htm?jsessionid=1234567890abcdef

• Sessionfixation• AsessiontokenissetviaaGETrequest

– www.somesite.com/login.htm?jsessionid=1234567890abcdef• Tokendoesnotchangeafterlogin

• Sessionreplay• Aprevioussessionwasnotproperly terminatedonthebackend• Performtransactionsbyreplayingcaptured/sniffed traffic

December 15, 2015

Somestepstohelpavoidattacks

• Filterclientsuppliedinputforpropersizeandcharactersbeforebeingprocessedbythebackendserver.

– Usewhitelist insteadofblacklistforinputvalidation» Blacklistscanbebypassedthroughencoding/newattacktypes,etc.

• Donotallowspecialcharacterstobeprocessedunlessspecificallyrequiredbytheapplication

– Encodetopreventexecutionatthebrowser

• MarkcookiesasHTTP-onlysotheycannotbecompromisedthroughXSSattacks

• Useadditionform-basedtokenforsensitivePOSTactionstopreventCSRFattack

– AlsocheckreferrerfieldDecember 15, 2015

Questions?

December 15, 2015