Embed Size (px)
DESCRIPTION
In part 7 of Web Application Security 101 we will explore the various security aspects of modern session management systems. We will particularly explore vulnerabilities such as weak session management and more. We will also look into session bruteforce attacks
Citation preview
Session ManagementAttacking the post-logging state management system.
BackgroundHTTP is stateless protocol.
Cookies were introduced to keep state.
But state can be tracked with other tools too.
Session Management Machinery
Client Server
GET /resource
SetCookie: cookie
Cookie: cookie
Cookie: cookie
Common AttacksSession Guessing
Session Hijacking
Session Fixation
Cross-site Request Forgery (CSRF)
Session GuessingCryptographically week.
Improper use of cryptography.
Not enough entropy.
AttacksAnalyzing the session entropy.
Finding session collisions.
Which Is The Weakest? Set-Cookie: SESID=1328802552... Set-Cookie: SESID=31b0b3ff82776a18a081973be4f8dd76... Set-Cookie: SESID=04ee313c76d3b90087bd333fe041b5c8f6dd19eb...
Session HijackingSessions are sent over HTTP.
Lack of secure flag.
Lack of HTTPOnly flag.
AttacksSniffing network traffic.
Hijacking the session via XSS.
Sniffing The Networksudo tcpdump -i en1 -w session.pcaptcpdump -r session.pcap -A | grep ‘Set-Cookie:’
tcpflow -i en1
Session FixationThe session is created before login.
The session is never expired.
The session is user controlled.
AttacksObtain a valid session and send it for the victim to authenticate.
Session Fixation In Action1. Ask for Cookie
2. Here is a Cookie
Attacker AppVictim
3. Set the Cookie 4. Use the Cookie
Cross-site Request ForgeryCookies are sent automatically.
AttacksForging of client-side requests.
CSRF In Action
Attacker Victim App
1. Authenticate
2. Visits Site
3. Sends Payload
Security ControlsStrong Session Token
Correct Same Origin Policy
Secure Flag
HTTPOnly Flag
Reduced Persistence
LabLet's do some session management attacks.
