Week
Seven ↓
A plethora of web applications require a
mechanism for session management. This security function is performed with the
help of session tokens. An application can use this feature to uniquely
identify a user’s request and interaction (Portswigger, 2017). These tokens are
assigned to users while accessing resources (Raj, 2017). Since session tokens
play a pivotal role in session management, attackers find them to be a point of
interest. When tokens are compromised, it could lead to authentication bypass, account
hijack and at worst, administrative access (Portswigger, 2017).
Generally, an attack on session tokens
involves hijacking a valid user session by predicting session tokens generated
by weak algorithms. This attack is successful for several reasons which include:
indefinite session expiration time, weak session token generation algorithm,
small length session tokens, insecure handling of session tokens and so on (Oriyano,
2016). The attacker analyses the session tokens to determine its pattern. This
analysis is performed using automated tools like Burp Suite that inspect
traffic between browsers and applications, trap cookies and collect a high
number of session tokens.
Furthermore, “session management
mechanisms can be vulnerable to attack if tokens are generated in an unsafe
manner that enables an attacker to predict values of tokens that have been
issued to other users. A password recovery token, sent to a user's registered
email address is an example where an application's security depends on the
unpredictability of tokens it generates” (Portswigger, 2017).
WebGoat, the web application used for this
demonstration, is an insecure application maintained by Open Web Application
Security Project (OWASP) and is designed to depict the behavior of a vulnerable
environment (Akshay, 2017). The application shows a “common server-side flaw intended
to help people learn about web application security and penetration testing
techniques” (Akshay, 2017).
countermeasures
- Using long random strings as session tokens;
- Implementing a “timeout ()” function to destroy the session when expired;
- Associating cookie authentication credential with an IP address;
- Installing patches and software updates;
- Generating session tokens after successful login and accepting session tokens generated by server only;
- Passing the authentication cookies over https connection.
References
Sean-Philip Oriyano. (April, 2016). CEH v9: Certified Ethical
Hacker Version 9 Study Guide, Edition 3.
Akshay Rijhwani. (May, 2017). What is WebGoat?
Retrieved from https://www.quora.com/What-is-WebGoat
Raj Chandel. (July, 2017). Beginner Guide
to Understand Cookies and Session Management. Retrieved from http://www.hackingarticles.in/beginner-guide-understand-cookies-session-management/
Portswigger Web Security. (2017). Using
Burp to attack Session Management. Retrieved from https://support.portswigger.net/customer/portal/articles/1964053-using-burp-to-attack-session-management
Video Credit: Jdasinger. May 10, 2017
No comments:
Post a Comment