![Sessions Attack
Session poisoning :Example
Exploiting ambiguous or dual use of same session variable
Exploiting scripts allowing writes to arbitrary session variables
$var = $_GET["something"];
$_SESSION["$var"] = $var2;
vulnerable.php?something=SESSION_VAR_TO_POISON](https://image.slidesharecdn.com/s8-sessionmanagment-180425093546/85/S8-Session-Managment-31-320.jpg)
![Sessions Attack
Session poisoning :Example
Session poisoning attacks enabled by php.ini: register_globals = on
It is possible for attacker to cause both conditions to be false.
php.ini is misconfigured (register_globals = on), which allows $var default
value to be controlled by GPC (GET, POST, or COOKIE) input.
if ($condition1) { $var = 'SOMETHING'; };
if ($condition2) { $var = 'OTHER'; };
$_SESSION["$var"] = $var2;](https://image.slidesharecdn.com/s8-sessionmanagment-180425093546/85/S8-Session-Managment-32-320.jpg)
S8-Session Managment
- 1. Web Application Security (PHP) Zakieh Alizadeh [email protected] APA Laboratory – Ferdowsi University of Mashhad
- 4. Session Management Description Mechanism of Cookies Introducing Session Management Attacks Strategies Of Session Storage Session Management Testing Strategies for Secure Session Management
- 5. Mechanism of Cookies HTTP session token Problem : HTTP is stateless o Solution : HTTP Cookies The client usually stores cookies and sends the token as an o HTTP cookie o parameter in GET or POST queries.
- 6. Mechanism of Cookies What is Sessions A session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between a computer and user . An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information. where the communication consists of independent requests with responses. Such as HTTP.
- 7. Mechanism of Cookies Session ID A session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session. A session ID is often a long, randomly generated string to decrease the brute-force search. The reason to use session tokens is : o client only has to handle the identifier (a small piece of data that hasn’t security risk) - all session data is stored on the server and is not transmit
- 8. Mechanism of Cookies HTTP session token
- 9. Mechanism of Cookies HTTP session token
- 10. Mechanism of Cookies HTTP session token
- 11. Http Cookies HTTP Cookies The following is a list of the attributes that can be set for each cookie : o secure - only send the cookie if the request is being sent over a secure channel such as HTTPS. o HttpOnly - it does not allow the cookie to be accessed via a client side script such as JavaScript. • Note that not all browsers support this functionality. o domain - compare against the domain of the server in which the URL is being requested
- 12. Http Cookies HTTP Cookies The following is a list of the attributes that can be set for each cookie : o path - In addition to the domain, the URL path can be specified for which the cookie is valid. If the domain and path match, then the cookie will be sent in the request. o expires - This attribute is used to set persistent cookies, since the cookie does not expire until the set date is exceeded.
- 13. Http Cookies HTTP Cookies : PHP function session_set_cookie_params() The effect of this function only lasts for the duration of the script. Thus, you need to call it for every request and before session_start() is called. This function updates the runtime ini values of the corresponding PHP ini configuration session_set_cookie_params ($lifetime , $path , $domain, $secure = false , $httponly = false)
- 14. Http Cookies HTTP Cookies : PHP function setcookie() defines a cookie to be sent along with the rest of the HTTP headers. Like other headers, cookies must be sent before any output from your script (this is a protocol restriction). Once the cookies have been set, they can be accessed on the next page load with the $_COOKIE Setcookie ( $name , $value , $expire = 0 , $path , $domain , $secure =false , $httponly = false )
- 15. Session Management Session management session management is the process of keeping track of a user's activity across sessions of interaction with the system.
- 16. Session Management Description Mechanism of Cookies Introducing Session Management Attacks Strategies Of Session Storage Session Management Testing Strategies for Secure Session Management
- 17. Session Attacks Sessions Attack Session Fixation Session Brute-Forcing Session Hijacking Session Poisoning
- 18. Sessions Attack Session fixation session fixation attacks allows one person to fixate (set) another person's session identifier (SID). Hacker abtains valid session witout hijacking or sniffing, he fix valid session for victim. Most rely on session identifiers being accepted from URLs (query string) or POST data.
- 19. Sessions Attack Session fixation Session fixation vulnerabilities occur when: A web application authenticates a user without first invalidating the existing session ID, thereby continuing to use the session ID already associated with the user. An attacker is able to force a known session ID on a user so that, once the user authenticates, the attacker has access to the authenticated session.
- 20. Sessions Attack Session fixation 1 3 2 4 No new Cookie Set In HTTP Response successfully authenticate request
- 22. Sessions Attack Session fixation : Countermeasures Do not accept session identifiers from GET / POST variables Accept only server-generated SIDs Logout function Destroy session if Referrer is suspicious Time-out old SIDs Verify that additional information is consistent throughout session User Agent
- 23. Sessions Attack Session fixation : Defense in Depth Enable HTTPS (to protect against other problems) Correct configuration (do not accept external SIDs, set time-out, etc.) o Ini_set(“session_use_only_cookie”,1) Perform session_regeneration, support log-out, etc.
- 24. Sessions Attack Session hijacking session hijacking is the exploitation of a valid sessionID to gain unauthorized access to information or services in a computer system.
- 25. Sessions Attack Session hijacking : Methods Session fixation Session sidejacking o where the attacker uses packet sniffing o Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated.
- 26. Sessions Attack Session hijacking : Methods obtaining the file or memory contents of the appropriate part of either the user's computer or the server. Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.
- 27. Sessions Attack Session hijacking : Countermeasures Provide a method for users to log out of the application. o Logging out button should clear o all session state and remove or invalidate any residual cookies. Set short expiry times on persistent cookies, no more than a day. Do not store session tokens in the URL or other trivially modified data entry point.
- 28. Sessions Attack Brute Force Session Identifier Session tokens are generated in o a predictable fashion o key space that is too small to prevent guessing a token in reasonable time. o The application does not detect and prevent session brute forcing attempts. A session ID must not be valid over two currently active SSL connections at the same time.
- 29. Sessions Attack Brute Force SessionID: Countermeasures Session identifiers should be at least 128 bits(32byte) long to prevent brute-force session guessing attacks. Limit the number of unique session tokens you see from the same IP address (ie 20 in thelast five minutes). Use Strong Session Cryptographic Algorithms o Use Framework session management impelemention
- 30. Sessions Attack Session poisoning This should actually be called session injection, as it is just one more variable injection type of attack. If you allow user input into session variables, make sure you validate the data. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.
- 31. Sessions Attack Session poisoning :Example Exploiting ambiguous or dual use of same session variable Exploiting scripts allowing writes to arbitrary session variables $var = $_GET["something"]; $_SESSION["$var"] = $var2; vulnerable.php?something=SESSION_VAR_TO_POISON
- 32. Sessions Attack Session poisoning :Example Session poisoning attacks enabled by php.ini: register_globals = on It is possible for attacker to cause both conditions to be false. php.ini is misconfigured (register_globals = on), which allows $var default value to be controlled by GPC (GET, POST, or COOKIE) input. if ($condition1) { $var = 'SOMETHING'; }; if ($condition2) { $var = 'OTHER'; }; $_SESSION["$var"] = $var2;
- 33. Session Storage Session Storage Sessions data can Store in : o Files (on server) o database. Sessions data that Storage in Files o Better performance ,But weak security Sessions data that Storage in Database o Better security,But weak performance
- 34. Session Management Description Mechanism of Cookies Introducing Session Management Attacks Strategies Of Session Storage Session Management Testing Strategies for Secure Session Management
- 35. Session Management Testing Session Management Testing Test Desc Testing for Session Management Schema 1-cookie collection: 2-cookie reverse engineering 3- cookie manipulation The session tokens tested for their randomness, uniqueness, resistance to statistical and cryptographic analysis Testing for Cookies attributes Testing for secure or httponly setting Are all Set-Cookie directives tagged as Secure? What Expires= times are used on persistent cookies Testing for Session Fixation no new cookie has been issued upon a successful authentication
- 36. Session Management Testing Session Management Testing Test Desc Testing for Exposed Session Variables How are Session IDs transferred? E.g., GET, POST, Form Field Are Session IDs always sent over encrypted transport by default? Testing for CSRF URL being tested; for example u = http://www.example.com/action build an html page containing the http request referencing URL u Regeneration of Session Tokens •Note the Session ID at the start and after every significant test transaction. If the session ID never changes,Application be at risk
- 37. Session Management Description Mechanism of Cookies Introducing Session Management Attacks Strategies Of Session Storage Session Management Testing Strategies for Secure Session Management
- 38. Session Management Session Management : Countermeasures Avoid Weak Session Cryptographic Algorithms Use Appropriate Key Space Impelement Session Time-out Regeneration of Session Tokens o prior to any significant transaction o after a certain number of requests o after as a function of time, say every 20 minutes or so. o Problem : when using third party software
- 39. Session Management Session Management : Countermeasures Using framework implementation session management. Authorization and role data should be stored on the server side only. Presentation flags (such as theme or user language) can belong in cookies. Tie the session to a particular browser by using a hash of the server-side IP address.