Download this PDF to see the latest tips and tricks on how to secure your website and web applications against session management vulnerabilities. Information was presented at the OWASP 2010 USA National Conference in Irvine, CA on September 10, 2010.
2. Agenda
What is HTTP Session
Management?
Session Management
Security
Assessment Techniques
Related Attack Vectors
Session Management Best
Practices
Q & A
OWASP
3. What is HTTP Session Management?
Process of keeping track of a user's
activity across sessions of interaction
with the computer system (Wikipedia)
Used to make the stateless HTTP
protocol support session state
Seamlessly identifies a user to the
server – for every request – once he /
she authenticated herself to the
server
OWASP
11. Session Management
How is it usually im plem ented?
Session (and related) attacks are a key attack surface for HTTP
web applications
Most common session / state mechanism for HTTP:
Unique session tokens in the form of HTTP cookies or URL
parameters
HTTP authentication (basic, digest, NTLM) can be used for
session management – but very rare usage
Applications can also use sessionless state mechanisms (like
ASP.NET's ViewState), essentially keeping all state on the client
Tip: If you use ViewSate, make sure you enable hash via
EnableViewStateMac="true"
Caution: ViewSate hash prevents state tampering, but
hackers can still decode and view state information!
OWASP
12. Session Management Security
Session Tok ens / Cook ies
Session tokens often composed of: User info, account info,
date/timestamp, email address, client IP address, etc.
Session tokens can also be based on concealed sequences,
time dependencies, random number generation, etc.
Session tokens are often encoded: E.g. using Base64, XOR,
hexadecimal representation using ASCII characters, etc.
Disclosure of tokens on the network: Network traffic
eavesdropping
Use HTTPS for all content, incl. static content, help
pages, pre-login-pages, images, etc.
OWASP
13. Session Management Security
Session Tok ens / Cook ies – contd.
Enable HTTPOnly & Secure cookie flags to disallow cookie
access from JavaScript and force cookie transmission only
via HTTPS, respectively
URL based session tokens can get revealed via various
HTTP logs (e.g. Google for inurl:jsessionid). Note that the
referrer/referrer header can contain session tokens
Hackers will try to capture your token by making you
visit a site on a server they control (via referer header)
Ineffective or non-existing session termination/logout
functionality (e.g. only deleting client-side cookie, but no
session expiration on server) leaves session tokens
vulnerable for exploitation
OWASP
14. The Bottom Line…
There a wide variety of different HTTP session management
mechanisms due to the lack of strong native support.
Always remember:
Not all of them are equally secure!
The strongest authentication mechanism won't help if the
session management mechanism is vulnerable!
OWASP
15. Assessment Techniques
There are a wide variety of different assessment techniques
for session management vulnerabilities.
Assessment techniques:
Often use a combination of commercial scanners, basic
tools (proxies, fuzzers, spiders, decoders, etc.) and manual
testing and analysis
Comprehensive solutions / scanners: Cenzic Hailstorm
Basic tools: Burp Suite, Paros, WebScarab, Tamper Data
Attempt to map and analyze the application and identify the
authentication & session management mechanisms (e.g.
session tokens, login/logout pages, etc.)
Try to observe / analyze any encodings and obfuscations of
session tokens in order to manipulate them
OWASP
16. Assessment Techniques – Contd.
Assessment techniques:
Often require one or more user accounts to compare
behavior of the application before and after login (public vs.
private pages) and between users with different access
privileges
Test whether users can be fooled into using attacker
supplied session tokens (session fixation)
Try to explore any related attack vectors, like XSS, CSRF,
etc.
Also examine various other attack vectors, like:
Token predictability, cookie scope (domain / path), insecure
token transmission, log disclosures, insufficient session
termination, etc.
OWASP
17. Related Attack Vectors
There are various session management related attack vectors,
as well as some more loosely related ones, such as:
Session Fixation & Hijacking
Ineffective Session Termination
Weak passwords, vulnerable “forgot password”
functionality, etc.
Authentication Bypass (SQL Injection), Authorization
Boundary Vulnerabilities, Privilege Escalation
HTTPS/SSL Bypass Vulnerabilities (access with HTTP)
XSS / CSRF
And more…
OWASP
18. Related Attack Vectors
Cross-Site Request Forgery (CSRF)
What is it?: Basic Web Application session management
behavior is exploited to make legitimate user requests
without the user’s knowledge or consent.
Root Cause: Basic session id management that is
vulnerable to exploitation (e.g. cookie-based).
Impact: Attackers can make legitimate Web requests from
the victim’s browser without the victim’s knowledge or
consent, allowing legitimate transactions in the user’s
name. This can results in a broad variety of possible
exploits.
Solution: Enhance session management by using non-
predictable “nonce” or other unique one-time tokens in
addition to common session identifiers, as well as the
validation of HTTP Referrer headers. OWASP
24. Session Management Best Practices
Use strong tokens with strong randomness
Only ever transfer tokens back to the server using HTTPS
(don't forget about static content, help pages, images, pre-
login pages, etc.)
Never use URL based session tokens, as that enables very
easy session fixation attacks. If you have to (cookies
disabled), use POSTs with hidden fields
Use HTTPOnly & Secure cookie flags
Implement strong logout functionality (with invalidation of
session tokens & deletion of session & state on server)
Implement session expiration with same results as strong
logout (after e.g. 5 or 10 minutes)
OWASP
25. Session Management Best Practices – contd.
Consider implementing “per-page” tokens (also helps with
CSRF)
Ideally do not allow concurrent logins
Terminate sessions when attacks are detected
(Temporarily) disable accounts after too many wrong
session tokens / attacks (too slow down & frustrate
hackers)
Log session related information on the server and audit logs
regularly
Avoid weak passwords & weak change / forgot password
mechanisms
Also defend against related attacks, like XSS, CSRF, etc.
Also see owasp.org and OWASP dev guide OWASP
26. Security In The Real World …
It’s true, you might not be able to outrun the
bear, but let’s not forget, all you have to do is
outrun your competition!
OWASP
27. Things to Remember
Attackers can be extremely creative and overcome
various defense mechanisms
Never underestimate your opponent!
Always remember: The strongest authentication
won't help if session management vulnerabilities
exist!
OWASP