This document discusses secure session management and common session security issues. It explains that capturing a user's session allows an attacker to act as that user. Sessions need to be properly terminated on logout to prevent replay attacks. Weaknesses like cookies set before authentication, non-random session IDs, and failing to remove sessions on logout can enable session hijacking. The document provides guidelines for generating secure random session IDs, setting cookies only after authentication, removing sessions on logout, and using HTTPS to mitigate these risks.
4. What needs to happen to establish a
session?
• Authentication
• NTLM – hash of windows credentials used to identify
user
• Forms-based - Generic term, commonly HTTP + HTML /
XHTML
• Less Common
– Basic – Base64 encoded, not secure
– Digest – encrypted transmission of credentials, based on
MD5 hash
§ Some session tracking mechanisms
o URL rewriting
o Cookies
• In form-based authentication, cookies are used
to track a user - *JSessionID*
December 15,2015
5. What are some types of HTTP session
tracking?
• HTTP – Hypertext Transfer Protocol
• Foundation for communication on world wide web
• Stateless
• URL rewriting
• A user visits a website and the server responds with a session tracking
token
• The user then sends requests to the web server which contain the
session ID in the URL
– www.somesite.com/index.jsp?jsessionid=abcdefg1234567
• Cookie-based
• A cookie is a small piece of data set on the client machine so the web
server can uniquely identity the requesting party and maintain a
session
– Cookies can have the following attributes:
» Marked Secure
» Marked HTTPOnly
» Have a path set – which site(s) can use the cookie
» Be set to expire
December 15,2015
13. Cookies not random enough
• When a user visits an application, the cookies can
contain any of the following
• A timestamp
• A username
• A cookie that is short in length
• A cookie that is persistent
• A cookie that expires a year or more in the future
• Attack scenario
• A persistent cookie is present on user machines
• An attacker can capture these credentials and replay them
from a remote location waiting for the target user to log in
• If the cookie contains a username and that username
defines permissions, this can be changed and the attacker
can gain elevated privileges
December 15,2015
15. Guidelines for secure cookie management
• Session tracking cookies
• Set and/or reset value after authentication
• Remove from the session table on the server when the user
logs out
– Reset on browser as well (not vital)
• Use random values --over 128 bit
• Mark the cookie “Secure” and “HTTP-only”
• Ensure the cookie cannot be reused
• Avoid persistent cookies
• Set cookie to expire in a timely manner
• Transmit in the HTTP header instead of the URL line
• Use HTTPS instead of HTTP for transmission
December 15,2015
19. Other attacks leveraging session
weaknesses
§ Cross-site request forgery
o An attacker can leverage a user’s existing session to execute
requests from outside that session
o Example
• <img
src=www.somesite.com/attack.htm?target=1234567890&status=att
ack&damage=100>
o Solution
• Do not pass transactional information in the URL
• Functions which require variables to be passed should only be
accepted in POST requests
– GET/POST translation
• Application should validate the referrer when a request is made
• Requests which perform sensitive actions should have a token
associated with them
– Token embedded in page
– Must match backend or request is not processed
December 15,2015
20. Other attacks leveraging session
weaknesses (cont.)
• Session cloning
• Leverages session tracking weaknesses
– Session token set prior to authentication
– Session token(s) passed in URL
» www.somesite.com/login.htm?jsessionid=1234567890abcd
ef
• Session fixation
• A session token is set via a GET request
– www.somesite.com/login.htm?jsessionid=1234567890abcdef
• Token does not change after login
• Session replay
• A previous session was not properly terminated on the backend
• Perform transactions by replaying captured/sniffed traffic
December 15,2015