When application have
authentication feature then it is very important to manage the session securely.
There are multiple vulnerabilities occurs due to misconfiguration of session. Mainly
application manages the session via cookie which we can also say session ID. A
session ID is a unique number assigned to identify a user accessing a web
application. The application usually creates a session cookie and session ID
for each valid session, and these cookies can contain sensitive data like
username, password, etc. It is important to maintain the confidentiality of a
session ID so other users or attackers do not use it to access the same account.
On logout and on browser close event session cookie should be invalidated at
server, so that it can not be reuse and for each session there should be new cookie.
Session ID must be validate at server end whenever it is getting any request from client, so that server can check if request is coming from legitimate user or not. Session ID entropy should also be excellent. There are multiple session related vulnerabilities occurs due to session misconfiguration which can be use by any attacker to perform attacks on application.
HOW TO CHECK SESSION COOKIE IN BROWSER
1. In Chrome, go to Options then More Tools and then developer tool on tab where your application is open.
2. After that on Developer Tools, go to Application and check for Cookies in Storage.
3. In below screen shot you can see JSESSIONID is cookie for this application:
4. After Authentication, new cookie has been assigned by server which is Session Cookie:
ATTACKS ASSOCIATED WITH SESSION ID
Session Hijacking
The Session Hijacking attack compromises the session token by
stealing or predicting a valid session token to gain unauthorized access to the
Web Server. The session token could be compromised in different ways, the most
common are:
· Predictable session token
· Session Sniffing
· Client-side attacks (XSS, malicious JavaScript Codes,
Trojans, etc)
· Man-in-the-middle attack
· Man-in-the-browser attack
Session Fixation
Session Fixation is an
attack that permits an attacker to hijack a valid user session. The attack
explores a limitation in the way the web application manages the session ID,
more specifically the vulnerable web application. When authenticating a user,
it doesn't assign a new session ID, making it possible to use an existent
session ID. The attack consists of inducing a user to authenticate himself with
a known session ID, and then hijacking the user-validated session by the
knowledge of the used session ID. The attacker must provide a legitimate Web
application session ID and try to make the victim's browser use it.
Session puzzling is an attack
that occurs when the application session variable is using more than one
purpose. The other name of session puzzling is session variable overloading.
This attack generally performed on forget password functionality. This vulnerability
enables the attackers to bypass authentication, escalate privileges, user impersonation,
bypass flow restrictions, and to perform multiple other attacks.
Session Replay
Session Replay also known as replay attack or playback attack, occurs if application session is managed via cookie and it do not have a set session expiration time. Some web applications allow reusing the old session ID to access the resources without re-authenticating the user, this can cause session replay attack.
Insufficient Session
Expiration
Insufficient session expiration
is a vulnerability in which session expiry is too long. Session timeout is comprised
of two different types one is due to inactivity and other is absolute, both can
be customized according to type of business and company policy. An inactivity
timeout is, if user is inactive, not performing any task and is in idle state
so session get timeout after particular amount of time. And absolute timeout is
allowed active time per user per session.
Session Cookie Attributes
There are some cookie attributes which provide extra layer of security to session cookie from being stolen and use to perform malicious activity.
These attributes are:
· Secure – It will pass the session cookie only via encrypted tunnel.
· HTTPOnly – By this, client-side script will not be able to read cookie value.
· Domain – It signifies the domain for which the cookie is valid.
· Path – Should be set to application root rather than web server root.
· SameSite - Use for mitigating the risk of cross-origin information leakage.
· Expires – It signifies how long the browser should use the persistent cookie.
No comments:
Post a Comment