secure session management
TRANSCRIPT
SecureSessionManagement
OWASPTampaDecember10,2015
December 15, 2015
Whyarewetalkingaboutsessions?
• Ingeneral,whenwediscusssessionmanagementwithwebapplications,ifyouareabletocaptureauser’ssession,youcanbecomethatuser
• Ifyoucanbecomeanotheruser,anycontrolsyouputinplacenolongermatter
• Inacapturedsession,youareexecutingcommandsasanotheruser
• Sessionmanagementis,therefore,veryimportant
December 15, 2015
Whatisasessionandwhyisitnecessary?
• Asessionisaseriesofinteractionsbetweentwoendpointsthatoccursduringthespanofaconnection
• Oneendpointrequestsaconnectionwithanotherendpointand,ifthatendpointagrees,theendpointsexchangedataandcommands
• Thesessionbeginswhenaconnectionisestablishedandendswhentheconnectionisended
• SinceHTTPisastatelessprotocol,thereneedstobeawayoftrackingsessionsthroughuniqueidentifiers
December 15, 2015
Whatneedstohappentoestablishasession?
• Authentication• NTLM– hashofwindowscredentialsusedtoidentifyuser
• Forms-based- Genericterm,commonlyHTTP+HTML/XHTML
• LessCommon– Basic– Base64encoded,notsecure– Digest– encryptedtransmissionofcredentials,basedonMD5hash
§ Some session tracking mechanismso URL rewritingo Cookies
• In form-based authentication, cookies are used to track a user - *JSessionID*
December 15, 2015
WhataresometypesofHTTPsessiontracking?
• HTTP– HypertextTransferProtocol• Foundation forcommunicationonworldwideweb• Stateless
• URLrewriting• Auservisitsawebsiteandtheserverrespondswithasessiontrackingtoken
• Theuserthensends requeststothewebserverwhichcontainthesessionIDintheURL
– www.somesite.com/index.jsp?jsessionid=abcdefg1234567• Cookie-based
• Acookieisasmallpieceofdatasetontheclientmachinesothewebservercanuniquely identitytherequestingpartyandmaintainasession
– Cookiescanhavethefollowing attributes:» MarkedSecure» MarkedHTTPOnly» Haveapathset– whichsite(s)canusethecookie» Besettoexpire
December 15, 2015
Whataresometypesofsessiontracking?(cont.)
• Cookie-based• Auservisitsawebsiteandtheserverrespondswithasessiontrackingtoken
December 15, 2015
Cookies• Cookiesaresmallpiecesofdatasetonaclientmachinesothewebservercanuniquelyidentifytherequestingpartyandmaintainasession
• Somecommonmistakes• Setpriortoauthentication
– Notchangedpostauthentication• NotmarkedSecure/HTTPOnly• TransmittedoverHTTP• TransmittedaspartoftheURL• Basedonstaticvalue• Canbereused
December 15, 2015
Commonsecurityconcerns
• Somesessiontrackingweaknesseswecommonlysee
• Cookiesnotresetafterauthentication• Sessionnotproperlyterminatedonlogout• Cookiesnotrandomenoughand/orpersistent• Cross-sitescripting(XSS)• Cross-siterequestforgery(XSRF)• Sessionreplay• Weakinputvalidation
December 15, 2015
Cookiessetpriortoauthentication• Whenauservisitsawebsite,theyare
presentedwithasessioncookie• Theuserhasnotyetauthenticated• Theuserauthenticatesbeforethecookie
expiresandtheuser’ssession isboundtothesessiontokensetbytheserverpriortoauthentication
• Attack
• Captureofcredentialsatconsole
• Persistentcookiesonlocalmachine
• PhishingauserwithaURLthatcontainsasessioncookie
December 15, 2015
Cookiessetpriortoauthentication(cont.)
• Theseattackscanallowtheattackertoduplicatetheuser’ssessionandperformactionsasthatuser
• Performunauthorizedfunctions• Gainaccesstounauthorizedinformation
• Solutions• Ifyouneedacookietotrackauserpriortoauthentication,ensureitisnotthesessioncookie
• Ifyoudonotneedacookietotrackstatus,donotsetone• Setthesessioncookietoanewvalueoncetheuserauthenticatesandinvalidatethepreviouscookiesoitisnottiedtotheusersession
• Deleteanypreviouscookiesforthatuserinthesessiontable
December 15, 2015
Sessionnotproperlyterminatedonlogout
• Whenauserlogsoutofanapplication,thesessionisnotproperlyterminated
• Cookienotremoved/overwrittenonbrowser• Moreimportantly,cookienotdeletedfromthesessiontableonthebackendserver
• Attackscenario• Auserhasloggedoutofthesessionbutleavesthebrowseropen,walkingawayfromthecomputer
• Amalicioususercanusethebackbuttontoaccessdataandperformtransactions
• Iftransmittedinclear-text,onceauserlogsout,anattackerwhowassniffingtrafficcanre-submitsessiontrafficandgainaclonedsession
December 15, 2015
Sessionnotproperlyterminatedonlogout(cont.)
• Theseattacksareanotheravenuethatcanallowtheattackertoduplicatetheuser’ssessionandperformactionsasthatuser
• Performunauthorizedfunctionsorgainaccesstounauthorizedinformation
• Solutions• Ensurethatthelogouttriggersthefollowingaction
– Removethesessiontoken(s)fromthesessiontableonthebackendserver
December 15, 2015
Cookiesnotrandomenough• Whenauservisitsanapplication,thecookiescancontainanyofthefollowing
• Atimestamp• Ausername• Acookiethatisshortinlength• Acookiethatispersistent• Acookiethatexpiresayearormoreinthefuture
• Attackscenario• Apersistentcookieispresentonusermachines• Anattackercancapturethesecredentialsandreplaythemfromaremotelocationwaitingforthetargetusertologin
• Ifthecookiecontainsausernameandthatusernamedefinespermissions,thiscanbechangedandtheattackercangainelevatedprivileges
December 15, 2015
Cookiesnotrandomenough(cont.)
• Whenasessioncanbepredicted,anattackercangainaccesstomultiplesessionsthatcan
• Allowtargeteduserattacks• Gainaccesstosessionsatseveraldifferentuserlevels
• Solution• Ensurethatrandomcookiesareused• Ensurethatnopersistentcookiesareused• Ensurethatcookiesarenotsettoexpirealongtimeinthefuture
December 15, 2015
Guidelinesforsecurecookiemanagement• Sessiontrackingcookies
• Setand/orresetvalueafterauthentication• Removefromthesessiontableontheserverwhentheuserlogsout
– Resetonbrowseraswell(notvital)• Userandomvalues-- over128bit• Markthecookie“Secure”and“HTTP-only”• Ensurethecookiecannotbereused• Avoidpersistentcookies• Setcookietoexpireinatimelymanner• TransmitintheHTTPheaderinsteadoftheURLline• UseHTTPSinsteadofHTTPfortransmission
December 15, 2015
Commonsessionmanagementattacks
• Wewillnowdiscusssomewaysinwhichweaksessionmanagementiscommonlyexploited
• Whatwewilldiscussareattackswhichwefindtobevalidwithmanyapplications
• Cross-sitescripting• Cross-siterequestforgery• Sessioncloning• Sessionfixation• Sessionreplay
December 15, 2015
Cross-sitescriptingtoexploitweaksessionmanagement
• Cross-sitescripting• Oneofthegoalsofthisstyleofattackistogaincontrolofauser’ssession
• Bycraftingaspecialrequestwhichcontainsascript,theattackercanattempttogainatargetuser’ssessiontokens
– Simpleexample– www.somesite.com/home.html?search=<javascript:alert(test123)>
• Thiswillcauseanalertboxtoappearwiththetext“test123”ontheuser’sdesktop
• Nextwewilllookatamorecomplicatedattackwhichcanbeusedtocompromiseauser’ssession
December 15, 2015
Cross-sitescriptingtoexploitweaksessionmanagement(cont.)
– Leveragedocumentobjectmodeltoaccesscookie
– Solution• Filterclientsupplied
input– Length– Specialcharacters– Etc
• MarkcookiesasHTTP-only
– EnsurescookiescannotbeaccessedbyDOM
December 15, 2015
Otherattacksleveragingsessionweaknesses
§ Cross-site request forgeryo An attacker can leverage a user’s existing session to execute
requests from outside that sessiono Example
• <img src=www.somesite.com/attack.htm?target=1234567890&status=attack&damage=100>
o Solution• Do not pass transactional information in the URL• Functions which require variables to be passed should only be
accepted in POST requests– GET/POST translation
• Application should validate the referrer when a request is made• Requests which perform sensitive actions should have a token
associated with them– Token embedded in page– Must match backend or request is not processed
December 15, 2015
Otherattacksleveragingsessionweaknesses(cont.)
• Sessioncloning• Leveragessessiontrackingweaknesses
– Session tokensetprior toauthentication– Session token(s)passedinURL
» www.somesite.com/login.htm?jsessionid=1234567890abcdef
• Sessionfixation• AsessiontokenissetviaaGETrequest
– www.somesite.com/login.htm?jsessionid=1234567890abcdef• Tokendoesnotchangeafterlogin
• Sessionreplay• Aprevioussessionwasnotproperly terminatedonthebackend• Performtransactionsbyreplayingcaptured/sniffed traffic
December 15, 2015
Somestepstohelpavoidattacks
• Filterclientsuppliedinputforpropersizeandcharactersbeforebeingprocessedbythebackendserver.
– Usewhitelist insteadofblacklistforinputvalidation» Blacklistscanbebypassedthroughencoding/newattacktypes,etc.
• Donotallowspecialcharacterstobeprocessedunlessspecificallyrequiredbytheapplication
– Encodetopreventexecutionatthebrowser
• MarkcookiesasHTTP-onlysotheycannotbecompromisedthroughXSSattacks
• Useadditionform-basedtokenforsensitivePOSTactionstopreventCSRFattack
– AlsocheckreferrerfieldDecember 15, 2015
Questions?
December 15, 2015